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Highlights  of  GAO-14-10,  a  report  to 
congressional  committees 


DOD  FINANCIAL  MANAGEMENT 

The  Defense  Finance  and  Accounting  Service  Needs 
to  Fully  Implement  Financial  Improvements  for 
Contract  Pay 


Why  GAO  Did  This  Study 

The  National  Defense  Authorization 
Act  for  Fiscal  Year  2013  mandated  that 
DOD’s  FIAR  Plan  include  the  goal  of 
validating  that  DOD’s  Statement  of 
Budgetary  Resources  (SBR)  is  audit 
ready  by  no  later  than  September  30, 
2014.  DOD  identified  contract  pay  as 
one  of  the  key  elements  of  its  SBR. 
DFAS,  the  service  provider  responsible 
for  the  department’s  contract  pay, 
asserted  that  its  processes,  systems, 
and  controls  over  contract  pay  were 
suitably  designed  and  operating 
effectively  to  undergo  an  audit. 

DOD’s  FIAR  Guidance  provides  a 
methodology  DOD  components  are 
required  to  follow  to  develop  and 
implement  FIPs  to  improve  financial 
management  and  assert  audit 
readiness.  The  FIP  is  a  framework  for 
planning,  executing,  and  tracking  the 
steps  and  supporting  documentation 
necessary  to  achieve  auditability. 

GAO  is  mandated  to  audit  the  U.S. 
government’s  consolidated  financial 
statements,  including  activities  of 
executive  branch  agencies  such  as 
DOD.  This  report  discusses  the  extent 
to  which  DFAS  implemented  its 
contract  pay  FIP  in  accordance  with 
the  FIAR  Guidance.  GAO  reviewed  the 
FIP  and  related  work  products,  such  as 
process  flowcharts,  test  plans,  and  test 
results,  and  interviewed  DFAS  and 
DOD  officials. 

What  GAO  Recommends 

GAO  is  making  nine  recommendations 
for  DFAS  to  fully  implement  the 
requirements  in  the  FIAR  Guidance  in 
the  areas  of  planning,  testing,  and 
corrective  actions.  DOD  concurred  with 
the  recommendations  and  described 
its  actions  to  address  them. 

View  GAO-14-10.  For  more  information, 
contact  Asif  A.  Khan  at  (202)  512-9869  or 
khana@gao.gov. 


What  GAO  Found 

The  Defense  Finance  and  Accounting  Service  (DFAS)  is  responsible  for 
processing  and  disbursing  nearly  $200  billion  annually  in  contract  payments 
(contract  pay)  for  the  Department  of  Defense  (DOD).  DFAS  recognized  the 
importance  of  implementing  a  Financial  Improvement  Plan  (FIP)  to  improve  its 
contract  pay  processes,  systems,  and  controls,  and  performed  steps  required  by 
DOD's  Financial  Improvement  and  Audit  Readiness  (FIAR)  Guidance,  such  as 
performing  testing  of  internal  controls,  and  substantive  processes.  Flowever, 

GAO  found  that  DFAS  did  not  fully  implement  the  steps  required  by  the  FIAR 
Guidance.  GAO  found  numerous  deficiencies  in  the  implementation  of  DFAS’s 
contract  pay  FIP,  including  the  following: 

•  DFAS  did  not  adequately  perform  certain  planning  activities  for  its  contract 
pay  FIP  as  required  by  the  FIAR  Guidance.  For  example,  DFAS  did  not 
assess  the  dollar  activity  and  risk  factors  of  its  processes,  systems,  and 
controls,  which  resulted  in  the  exclusion  of  three  key  processes  from  the  FIP, 
including  the  reconciliation  of  its  contract  pay  data  to  the  components’ 
general  ledgers.  Standards  for  Internal  Control  in  the  Federal  Government 
states  that  control  activities  such  as  reconciliations  are  an  integral  part  of  an 
entity’s  planning,  implementing,  reviewing,  and  accountability  for  stewardship 
of  government  resources  and  achieving  effective  results.  As  result,  DFAS  did 
not  obtain  sufficient  assurance  that  the  contract  disbursements  are 
accurately  recorded  and  maintained  in  the  components’  general  ledgers,  and 
that  the  status  of  DOD’s  contract  obligations  is  accurate  and  up-to-date. 

•  DFAS  did  not  adequately  perform  required  testing  of  its  contract  pay  controls, 
processes,  and  balances.  For  example,  DFAS  did  not  adequately  validate 
the  populations  used  to  perform  substantive  and  internal  control  testing  as 
required  by  the  FIAR  Guidance.  DFAS  officials  stated  that  they  validated  that 
the  population  that  was  tested;  however,  GAO  found  that  the  process 
followed  by  DFAS  for  validating  the  population  did  not  include  a  reconciliation 
of  the  population  to  the  components’  general  ledgers.  As  a  result,  additional 
deficiencies  may  exist  in  DFAS’s  contract  pay  controls  and  additional  errors 
may  exist  in  the  recorded  transactions  activity  and  balances,  which  affects 
the  components’  ability  to  rely  on  DFAS’s  controls  over  contract  pay. 

•  DFAS  did  not  provide  adequate  documentation  to  support  that  it  had 
remediated  all  of  the  identified  control  deficiencies  that  DFAS  stated  had 
been  corrected.  GAO’s  review  of  a  nongeneralizable  sample  of  25  of  these 
deficiencies  found  that  in  3  instances,  corrective  actions  had  not  been  taken 
as  required,  and  in  15  other  instances,  the  documentation  provided  by  DFAS 
did  not  sufficiently  support  that  the  identified  deficiencies  were  remediated. 
DFAS  had  adequately  developed  and  implemented  the  necessary  corrective 
action  plans  for  7  of  the  deficiencies  GAO  reviewed. 

Although  DFAS  has  asserted  audit  readiness,  until  it  corrects  the  deficiencies 
and  fully  implements  its  FIP  in  accordance  with  the  FIAR  Guidance,  its  ability  to 
process,  record,  and  maintain  accurate  and  reliable  contract  pay  transaction  data 
is  questionable.  Therefore,  DFAS  does  not  have  assurance  that  its  FIP  will 
satisfy  the  needs  of  the  components  or  provide  the  expected  benefits  to 
department-wide  audit  readiness  efforts. 
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Abbreviations 

APVM 

Accounting  Pre-validation  Module 

BAM 

Business  Activity  Monitoring 

CONOPS 

Concept  of  Operations 

DCAS 

Defense  Cash  Accountability  System 
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Defense  Finance  and  Accounting  Service 

DISA 

Defense  Information  Systems  Agency 

DOD 

Department  of  Defense 

EAS 

Entitlement  Automation  System 
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electronic  funds  transfer 
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Statement  of  Budgetary  Resources 
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GAO 

441  G  St.  N.W. 
Washington,  DC  20548 


U.S.  GOVERNMENT  ACCOUNTABILITY  OFFICE 


June  23,2014 

The  Honorable  Thomas  R.  Carper 
Chairman 

The  Honorable  Tom  Coburn,  M.D. 

Ranking  Member 

Committee  on  Homeland  Security  and  Governmental  Affairs 
United  States  Senate 

The  Honorable  Darrell  Issa 
Chairman 

The  Honorable  Elijah  E.  Cummings 
Ranking  Member 

Committee  on  Oversight  and  Government  Reform 
House  of  Representatives 

The  Department  of  Defense  (DOD)  is  responsible  for  more  than  half  of 
the  federal  government’s  discretionary  spending.1  For  example,  the 
discretionary  budget  authority  of  $606  billion  DOD  requested  for  fiscal 
year  2014  constitutes  about  53  percent  of  budget  requests  for 
discretionary  programs  throughout  the  federal  government.  Yet  it  is  one  of 
the  few  major  federal  entities  that  cannot  accurately  account  for  its 
spending  or  assets,  and  remains  the  only  major  federal  agency  that  has 
been  unable  to  receive  an  audit  opinion  of  any  kind  on  its  department¬ 
wide  financial  statements.  To  address  this,  the  National  Defense 
Authorization  Act  (NDAA)  for  Fiscal  Year  2010  mandated  that  DOD 
develop  and  maintain  a  Financial  Improvement  and  Audit  Readiness 
(FIAR)  Plan  that  describes  the  specific  actions  to  be  taken  and  the  costs 
associated  with  correcting  DOD’s  financial  management  deficiencies  and 
validating  that  the  department’s  consolidated  financial  statements  are 
ready  for  audit  by  September  30,  201 7. 2  DOD’s  FIAR  Plan  is  a  strategic 
plan  and  management  tool  for  guiding,  monitoring,  and  reporting  on  the 
department’s  ongoing  financial  management  improvement  efforts  and  for 
communicating  the  department’s  approach  to  addressing  its  financial 


discretionary  spending  refers  to  outlays  from  budget  authority  that  are  provided  in  and 
controlled  by  appropriation  acts,  unlike  mandatory  spending,  such  as  Medicare  and  other 
entitlement  programs. 

2Pub.  L.  No.  111-84,  §  1003(a), (b)  (Oct.  28,  2009). 
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management  weaknesses  and  achieving  financial  statement  audit 
readiness.  DOD  is  required  to  report  semiannually,  not  later  than  May  15 
and  November  15  each  year,  on  the  status  of  the  implementation  of  the 
FIAR  Plan.  The  NDAA  for  Fiscal  Year  2010  also  required  that  DOD 
develop  standardized  guidance  for  DOD  components,3  which  DOD  has 
done  by  issuing  its  FIAR  Guidance  to  require  components  to  develop 
Financial  Improvement  Plans  (FIP)  for  each  element  of  their  FIAR-related 
efforts,4  and  define  oversight  roles  and  assign  accountability  for  carrying 
out  the  FIAR  Plan  to  appropriate  officials  and  organizations.5 

Because  DOD  management  relies  heavily  on  budget  information  for  day- 
to-day  management  decisions,  the  DOD  Comptroller  designated  the 
Statement  of  Budgetary  Resources  (SBR)6  as  an  audit  priority  and  the 
Secretary  of  Defense  underscored  the  department’s  SBR  priority  with  a 
directive  that  set  an  interim  date  of  September  30,  2014,  for  validating 
that  its  SBR  is  audit  ready.7  Subsequently,  the  NDAA  for  Fiscal  Year  2013 
amended  the  legal  requirement  to  support  this  goal,  explicitly  requiring 
that  the  FIAR  Plan  describe  the  specific  actions  to  be  taken  and  the  costs 


3DOD  defines  “DOD  components”  to  include  its  military  departments  as  well  as  smaller 
entities  within  DOD,  such  as  the  defense  agencies  and  field  activities. 

4The  FIP  is  a  framework  for  planning,  executing,  and  tracking  the  steps  and  supporting 
documentation  necessary  to  achieve  audit  readiness. 

5The  FIAR  Guidance  details  the  roles  and  responsibilities  of  the  DOD  components  and 
prescribes  a  standard,  systematic  process  to  follow  to  assess  processes,  controls,  and 
systems. 

6The  SBR  is  the  only  financial  statement  predominantly  derived  from  an  entity’s  budgetary 
accounts  in  accordance  with  budgetary  accounting  rules,  which  are  incorporated  into 
generally  accepted  accounting  principles  (GAAP)  for  the  federal  government.  The  SBR  is 
designed  to  provide  information  on  authorized  budgeted  spending  authority  and  links  to 
the  Budget  of  the  United  States  Government  (President’s  Budget),  including  budgetary 
resources,  availability  of  budgetary  resources,  and  how  obligated  resources  have  been 
used.  Budgetary  resources  include  the  amount  available  to  enter  into  new  obligations  and 
to  liquidate  them.  Budgetary  resources  are  made  up  of  new  budget  authority  (including 
direct  spending  authority  provided  in  existing  statute  and  obligation  limitations)  and 
unobligated  balances  of  budget  authority  provided  in  previous  years. 

According  to  DOD,  validation  of  audit  readiness  occurs  when  the  DOD  Comptroller 
examines  a  DOD  component’s  documentation  supporting  its  assertion  of  audit  readiness 
and  concurs  with  the  assertion.  This  takes  place  after  the  DOD  Comptroller  or 
independent  auditor  first  reviews  the  documentation  and  agrees  that  it  supports  audit 
readiness.  A  component  asserts  audit  readiness  when  it  believes  that  its  documentation 
and  internal  controls  are  sufficient  to  support  a  financial  statement  audit  that  will  result  in 
an  audit  opinion. 
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associated  with  validating  audit  readiness  of  the  department’s  SBR  by  no 
later  than  September  30,  2014. 8 

DOD  identified  properly  accounting  for  payments  made  to  its  contractors, 
referred  to  as  contract  pay,9  as  a  key  element  of  its  SBR  audit  readiness 
efforts.10  The  Defense  Finance  and  Accounting  Service  (DFAS)  is  the 
service  provider  responsible  for  processing  the  department’s  contract 
pay.11  DFAS  reported  that  it  processed  $183  billion  in  contract  pay 
disbursements  for  fiscal  year  201 3,  which  was  just  over  one-fourth  of 
DOD’s  reported  $671  billion  in  net  outlays — spending,  net  of  offsetting 
collections  and  receipts.  DFAS  asserted  in  October  2013  that  its  contract 
pay  FIP  was  audit  ready  and  has  engaged  an  independent  public 
accounting  firm  to  conduct  an  audit. 

The  results  of  our  prior  work  have  raised  concerns  about  the  ability  of 
DOD  components  to  effectively  implement  the  FIAR  Guidance.  For 
example,  our  review  of  the  Navy’s  civilian  pay  and  the  Air  Force’s  military 
equipment  audit  readiness  efforts  identified  significant  deficiencies,  such 
as  insufficient  testing  and  conclusions  reached  that  were  not  supported 
by  testing  results.12  In  addition,  we  found  that  neither  the  Marine  Corps 
nor  the  Navy  had  implemented  effective  processes  for  reconciling  fund 
balance  with  Treasury,  which  is  required  by  the  FIAR  Guidance  to 
develop  a  reliable  SBR.13  Further,  we  have  reported  on  challenges  in 
achieving  audit  readiness  for  the  U.S.  Army’s  military  pay,  such  as  a  lack 


8NDAA  for  Fiscal  Year  2013,  Pub.  L.  No.  112-239,  §  1005(a)  (Jan.  2,  2013). 

9DOD  defines  contract  pay  as  the  payments  for  goods  and  services  provided  by 
contractors  to  the  DOD  components  as  authorized  by  formal,  long-term  contract 
instruments  that  require  contract  administration  primarily  utilizing  the  Mechanization  of 
Contract  Administration  Services  system. 

10DOD  identified  the  following  areas  as  key  elements  of  the  SBR:  appropriations  received, 
fund  balance  with  Treasury,  civilian  pay,  military  pay,  contract  pay,  reimbursable  work 
orders,  military  standard  requisitioning  and  issuing  procedures,  and  financial  reporting. 

^Service  providers  are  entities  that  provide  services  that  affect  a  DOD  component’s 
manual  and  automated  processes  used  for  reporting  amounts  in  the  financial  statements. 

12GAO,  DOD  Financial  Management:  Improvement  Needed  in  DOD  Components’ 
Implementation  of  Audit  Readiness  Efforts,  GAO-11-851  (Washington,  D.C.:  Sept.  13, 
2011). 

13GAO,  DOD  Financial  Management:  Ongoing  Challenges  with  Reconciling  Navy  and 
Marine  Corp  Fund  Balance  with  Treasury,  GAO-12-132  (Washington,  D.C.:  Dec.  20, 
2011). 
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of  an  efficient  or  effective  process  or  system  for  providing  supporting 
documentation  for  its  military  payroll  expenses.14 

This  report  was  performed  under  our  mandate  to  audit  the  U.S. 
government’s  consolidated  financial  statements,  including  activities  of 
executive  branch  agencies  such  as  DOD.15  Our  objective  was  to 
determine  the  extent  to  which  DFAS  implemented  its  contract  pay  FIP  in 
accordance  with  the  FIAR  Guidance.  To  address  our  objective,  we 
compared  DFAS’s  contract  pay  FIP  with  the  FIAR  Guidance  to  determine 
whether  the  FIP  contained  all  the  steps  and  related  supporting 
documentation  that  the  FIAR  Guidance  requires  the  components  to 
complete.  Using  the  FIAR  Guidance,  we  analyzed  DFAS’s  FIP  supporting 
documentation,  such  as  process  narratives  and  flowcharts,  test  plans, 
and  test  results.  We  also  analyzed  DFAS’s  efforts  to  address  control 
deficiencies  identified  during  testing.  Specifically,  we  selected  a 
nongeneralizable16  sample  of  25  control  deficiencies  that  were  reported 
by  DFAS  as  remediated  on  the  FIAR  Directorate’s  Tracking  Sheet  and 
reviewed  the  documentation.17  We  interviewed  officials  from  DFAS’s 
Office  of  Audit  Readiness,  DFAS’s  Internal  Review,  and  the  FIAR 
Directorate  to  obtain  explanations  and  clarifications  on  the  results  of  our 
evaluation  of  the  FIP.  Appendix  I  provides  further  details  on  our  scope 
and  methodology. 

We  conducted  this  performance  audit  from  May  2012  to  April  2014  in 
accordance  with  generally  accepted  government  auditing  standards. 
Those  standards  require  that  we  plan  and  perform  the  audit  to  obtain 
sufficient,  appropriate  evidence  to  provide  a  reasonable  basis  for  our 
findings  and  conclusions  based  on  our  audit  objectives.  We  believe  that 
the  evidence  obtained  provides  a  reasonable  basis  for  our  findings  and 
conclusions  based  on  our  audit  objectives. 


14GAO,  DOD  Financial  Management:  The  Army  Faces  Significant  Challenges  in  Achieving 
Audit  Readiness  for  Its  Military  Pay,  GAO-12-406  (Washington,  D.C.:  Mar.  22,  2012). 

1531  U.S.C.  §§  331(e). 

16The  results  from  a  nongeneralizable  sample  cannot  be  used  to  make  inferences  about  a 
population. 

17The  FIAR  Directorate  developed  the  Tracking  Sheet  to  document  its  review  and 
validation  of  the  efforts  taken  by  DFAS  to  remediate  the  control  deficiencies  identified 
during  testing. 
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Background 


DOD  established  the  FIAR  Plan  as  its  strategic  plan  and  management 
tool  for  guiding,  monitoring,  and  reporting  on  the  department’s  ongoing 
financial  management  improvement  efforts  and  for  communicating  the 
department’s  approach  to  addressing  its  financial  management 
weaknesses  and  achieving  financial  statement  audit  readiness.  To 
implement  the  FIAR  Plan,  the  DOD  Comptroller  issued  the  FIAR 
Guidance,  which  defines  DOD’s  strategy,  goals,  roles,  and  responsibilities 
and  the  procedures  that  the  components  need  to  perform  to  improve 
financial  management  and  achieve  audit  readiness.  DOD  components 
are  expected  to  prepare  a  FIP  in  accordance  with  the  FIAR  Guidance  for 
each  of  their  assessable  units.18  The  FIPs  are  intended  to  both  guide  and 
document  financial  improvement  efforts.  While  the  name  FIP  indicates 
that  it  is  a  plan,  as  a  component  implements  that  plan,  it  must  document 
the  steps  performed  and  the  results  of  those  steps,  and  retain  that 
documentation  within  the  FIP.  When  a  component  determines  that  it  has 
completed  sufficient  financial  improvement  efforts  for  an  assessable  unit 
to  undergo  an  audit,  it  asserts  audit  readiness  for  the  related  assessable 
unit  and  submits  the  FIP  documentation  to  the  FIAR  Directorate  to 
support  the  conclusion  of  audit  readiness.19  The  FIAR  Directorate  is 
responsible  for  reviewing  and  validating  the  supporting  documentation 
within  the  FIP  to  determine  whether  the  component  is  audit  ready. 


FIAR  Guidance  Service  DOD’s  service  providers  are  responsible  for  a  variety  of  accounting, 

Provider  Methodology  personnel,  logistics,  and  system  development  or  operations  services  to 

support  DOD  components.  Recognizing  that  the  effectiveness  of  the 
service  providers’  controls  affects  the  auditability  of  the  amounts  reported 
on  the  components’  financial  statements,  DOD’s  FIAR  Guidance  outlines 
the  steps  service  providers  are  to  perform  to  achieve  audit  readiness. 
Specifically,  the  FIAR  Guidance  requires  service  providers  to  work  with 
the  components  to  execute  audit  readiness  activities  on  their  systems, 
data,  processes,  internal  controls,  and  supporting  documentation  that 
have  a  direct  effect  on  the  components’  audit  readiness  state.  To  support 


1  ft 

Assessable  units  can  be  any  part  of  the  financial  statements,  such  as  line  items  or 
classes  of  assets  (e.g.,  civilian  pay  or  military  equipment),  a  class  of  transactions,  or  a 
process  or  a  system  that  helps  produce  the  financial  statements. 

19The  DOD  Comptroller  established  the  DOD  FIAR  Directorate  to  manage  DOD-wide 
financial  management  improvement  efforts. 
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the  component  audit  readiness  efforts,  a  service  provider  is  required  to 
take  either  of  the  following  steps: 

•  Develop  and  implement  a  FIP  to  improve  its  processes,  systems,  and 
controls  so  that  it  can  successfully  undergo  a  Statement  on  Standards 
for  Attestation  Engagements  (SSAE)  No.  16  examination.20 
Specifically,  the  FIAR  Guidance  requires  the  service  provider  to 
implement  a  FIP  if  three  or  more  components  will  rely  on  its 
processes  and  systems  for  their  audit  readiness  assertions,  and  if  the 
service  provider  will  be  able  to  assert  audit  readiness  prior  to  the 
components’  targeted  dates  for  asserting  audit  readiness. 

•  Directly  participate  in  and  support  the  component’s  financial  statement 
audit  where  the  service  provider’s  processes,  systems,  internal 
controls,  and  supporting  documentation  are  audited  as  part  of  the 
components’  financial  statement  audits. 

The  FIAR  Guidance  service  provider  methodology  requires  the  FIP  to 
include  the  following  five  phases:  Discovery,  Corrective  Action, 
Assertion/Evaluation,  Validation,  and  SSAE  No.  16  Examination.  Table  1 
provides  a  list  of  steps  for  each  of  the  phases  and  the  required 
deliverables. 


20SSAE  No.  16,  Reporting  on  Controls  at  a  Service  Organization,  provides  standards  for 
auditors  to  follow  for  reporting  on  controls  at  organizations  that  provide  services  to  user 
entities  when  those  controls  are  likely  to  be  relevant  to  user  entities’  internal  control  over 
financial  reporting.  The  FIAR  Guidance  requires  the  SSAE  No.  16  examination  to  cover  at 
least  6  months  of  the  component’s  audit  period. 
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Table  1:  Service  Provider  Methodology  to  Become  Audit  Ready 


Phases  and  steps 

Required  deliverables  to  the  FIAR  Directorate 

Discovery  Phase 

Overall  planning  activities 

•  The  service  provider  coordinates  with  the  components  to 
(1 )  document  understanding  of  roles  and  responsibilities 
for  authorizing,  initiating,  processing,  recording,  and 
reporting  transactions;  (2)  retain  supporting 
documentation;  and  (3)  support  audit  readiness  activities. 

•  The  service  provider  documents  its  end-to-end  business 
processes  for  an  assessable  unit. 

•  The  service  provider  coordinates  with  the  components  to 
assess  the  materiality3  of  the  processes  and  systems 
based  on  dollar  activity  and  risk  factors  to  determine 
which  processes  and  systems  should  be  included  in  the 
FIP. 

•  Existing  service-level  agreement  and  new  memorandum  of 
understanding. 

•  Process  narratives  and  flowcharts  describing  the  end-to-end 
business  process  for  an  assessable  unit. 

•  Materiality  assessment  that  documents  the  processes  and 
systems  to  be  included  in  the  FIP.  For  each  assessable  unit,  the 
service  provider  prepares  a  system  inventory  and  a  list  of  all  users 
and  their  access  privileges  for  all  systems. 

The  service  provider  plans  and  executes  internal  control 
testing13  to  obtain  evidence  about  the  achievement  of  control 
objectives  and  to  assess  the  design  and  effectiveness  of 
controls  that  would  prevent,  or  detect  and  correct  potential 
misstatements'3  in  financial  statements. 

Test  plans  and  test  results. 

•  For  testing  controls,  a  complete  and  accurate  population  of 
transactions  that  tie  to  the  general  ledger  and  financial 
statements. 

•  Random  samples  selected  from  the  population  for  testing. 

The  service  provider  plans  and  executes  substantive  testing3 
to  obtain  evidence  on  whether  amounts  reported  on  the 
financial  statements  are  reliable. 

Test  plans  and  test  results. 

•  For  substantive  testing,  a  complete  and  accurate  population  of 
transactions  that  tie  to  the  general  ledger  and  financial 
statements. 

•  Random  samples  selected  from  the  population  for  testing. 

The  service  provider  plans  and  executes  testing  of 
information  technology  (IT)  controls,  which  should  include  the 
general®  and  application  controlsf  for  each  significant  system 
and  application  identified  as  a  result  of  the  materiality 
assessment. 

Test  plans  and  test  results. 

The  service  provider  identifies  and  classifies  weaknesses  in 
control  activities  and  notifies  components  of  any  material 
weaknesses.9 

Identified  weaknesses  classified  as  material  weaknesses,  significant 
deficiencies,13  and  control  deficiencies.1 

Corrective  Action  Phase 

The  service  provider  develops  and  implements  corrective 
action  plans  to  remediate  the  deficiencies  in  internal  control, 

IT  controls,  and  substantive  testing. 

Corrective  action  plans  that  identify  each  deficiency  and  the  action  to 
be  taken  to  remediate  it. 

The  service  provider  updates  the  corrective  action  section  of 
the  FIP  to  include  the  classification  of  the  deficiencies 
(material  weaknesses,  significant  deficiency,  or  control 
deficiency). 

Updated  FIP  status  report  that  shows  the  progress  in  executing  the 
corrective  action  plans  and  any  scope  and  timeline  changes. 

The  service  provider  determines  the  strategy  for  supporting 
reporting  entities’  audit  readiness  efforts  (i.e.,  proceed  with 
SSAE  No.  16  examination  or  be  audited  as  part  of  reporting 
entity’s  financial  statement  audit). 

Notification  to  the  FIAR  Directorate  that  the  Corrective  Action  Phase 
has  been  completed  and  that  the  service  provider  is  ready  for  an 

SSAE  No.  16  examination,  an  updated  memorandum  of 
understanding,  or  both. 
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Phases  and  steps 

Required  deliverables  to  the  FIAR  Directorate 

Assertion/Evaluation  Phase 

The  FIAR  Directorate  evaluates  the  service  provider’s  FIP 
documentation  developed  in  the  Discovery  and  Corrective 
Action  Phases  to  assess  whether  the  service  provider  is 
ready  for  an  audit. 

If  the  FIAR  Directorate  concludes  that  the  service  provider  is 
not  ready  for  an  audit,  it  will  provide  feedback  to  describe  the 
deficiencies  to  be  corrected  by  the  service  provider. 

The  service  provider  engages  an  auditor  to  perform  an  SSAE 
No.  16  examination. 

Awarded  contract. 

The  auditor  issues  SSAE  No.  16  examination  report. 

SSAE  No.  16  examination  report. 

The  service  provider  addresses  deficiencies  identified  during 
the  SSAE  No.  16  examination. 

Updated  FIP. 

Validation  Phase 

The  FIAR  Directorate  will  review  the  service  provider’s 

Documentation  demonstrating  remediation  of  deficiencies. 

documentation,  which  includes  the  SSAE  No.  16  examination 
report  and  support  showing  the  implementation  of  corrective 
actions  to  address  deficiencies  identified  during  the  SSAE 
No.  16  examination,  if  applicable,  and  assess  whether  the 
service  provider  will  be  required  to  undergo  a  second  SSAE 
No.  16  examination. 

•  If  the  service  provider  receives  an  unqualified  opinion  on 
the  first  SSAE  No. 16  examination,  the  FIAR  Directorate 
will  not  require  the  service  provider  to  undergo  a  second 
audit  as  part  of  the  SSAE  No.  1 6  examination  phase. 

•  If  the  FIAR  Directorate  concludes  that  the  service 
provider  is  not  ready  for  an  audit,  it  will  provide  feedback 
to  describe  what  deficiencies  need  to  be  corrected  by  the 
service  provider  prior  to  undergoing  a  second  SSAE  No. 
16  examination. 


SSAE  No.  16  Examination  Phase 

If  applicable,  the  service  provider  engages  an  auditor  to 
perform  a  second  SSAE  No.  16  examination. 

Awarded  contract. 

The  auditor  issues  SSAE  No.  16  examination  report. 

SSAE  No.  16  examination  report. 

Sources:  DOD’s  Financial  Improvement  and  Audit  Readiness  (FIAR)  Guidance,  March  2013,  and  FIAR  Directorate  officials. 

““Materiality  is  the  effect  of  an  item’s  omission  or  misstatement  in  a  financial  statement  that  in  the  light 
of  surrounding  circumstances,  makes  it  probable  that  the  judgment  of  a  reasonable  person  relying  on 
the  information  would  have  been  changed  or  influenced  by  the  inclusion  or  correction  of  the  item. 

blnternal  control  tests  are  performed  to  assess  the  design  and  operating  effectiveness  of  controls  that 
would  prevent,  or  detect  and  correct,  potential  misstatements  in  the  financial  statements. 

cMisstatements  are  the  result  of  an  incorrect  selection  or  misapplication  of  accounting  principles  or 
misstatements  of  facts  identified,  including,  for  example,  those  arising  from  mistakes  in  gathering  or 
processing  data  and  the  overlooking  or  misinterpretation  of  facts. 

““Substantive  tests  are  detailed  tests  of  transactions  and  account  balances  to  obtain  evidence  on 
whether  the  amounts  reported  on  the  financial  statements  are  reliable. 

““General  controls  are  the  policies  and  procedures  that  apply  to  all  or  a  large  segment  of  an  entity’s 
information  systems  and  help  ensure  their  proper  operation.  The  objectives  of  general  controls 
include  safeguarding  data,  protecting  application  programs,  managing  specific  system  resources 
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(e.g.,  networks,  operating  systems,  and  infrastructure  applications),  and  ensuring  continued  computer 
operations  in  case  of  unexpected  interruptions.  For  example,  general  controls  include  logical  access 
controls  that  prevent  or  detect  unauthorized  access  to  sensitive  data  and  programs  that  are  stored, 
processed,  and  transmitted  electronically. 

'Application  controls,  sometimes  referred  to  as  business  controls,  are  incorporated  directly  into 
computer  applications  to  help  ensure  the  validity,  completeness,  accuracy,  and  confidentiality  of  data 
during  application  processing  and  reporting.  For  example,  a  system  edit  used  to  prevent  or  detect  a 
duplicate  entry  is  an  application  control. 

9A  material  weakness  is  a  deficiency,  or  combination  of  deficiencies,  in  internal  control,  such  that 
there  is  a  reasonable  possibility  that  a  material  misstatement  of  the  entity’s  financial  statements  will 
not  be  prevented,  or  detected  and  corrected,  on  a  timely  basis. 

hA  significant  deficiency  is  a  deficiency  or  a  combination  of  deficiencies  in  internal  control  that  is  less 
severe  than  a  material  weakness,  yet  important  enough  to  merit  attention  by  those  charged  with 
governance. 

A  control  deficiency  exists  when  the  design  or  operation  of  a  control  does  not  allow  management  or 
employees,  in  the  normal  course  of  performing  their  assigned  functions,  to  prevent,  or  detect  and 
correct,  misstatements  on  a  timely  basis. 


As  presented  in  table  1,  the  service  provider  documents,  evaluates,  and 
tests  its  processes,  systems,  and  controls  during  the  Discovery  Phase  of 
its  FIP,  and  designs  and  implements  the  necessary  corrective  action 
plans  as  part  of  the  Corrective  Action  Phase.  The  deliverables  from  the 
service  provider  are  then  reviewed  by  the  FIAR  Directorate  during  the 
Assertion/Evaluation  Phase.  Based  on  its  review  of  the  deliverables,  the 
FIAR  Directorate  determines  whether  the  service  provider  is  audit  ready 
and,  if  so,  authorizes  the  service  provider  to  engage  an  auditor  to  perform 
an  SSAE  No.  16  examination.  If  the  FIAR  Directorate  determines  that  the 
service  provider  is  not  audit  ready,  the  FIAR  Directorate  provides 
feedback,  which  the  service  provider  has  to  address  before  resubmitting 
the  required  deliverables  for  review.  After  the  auditor  completes  the  SSAE 
No.  16  examination  and  issues  the  report,  the  service  provider  submits  a 
copy  of  the  SSAE  No.  16  examination  report  to  the  FIAR  Directorate  and 
evidence  that  it  has  implemented  corrective  actions  to  remediate  the 
deficiencies  identified  by  the  auditor,  if  any.  As  part  of  the  Validation 
Phase,  the  FIAR  Directorate  reviews  the  SSAE  No.  16  report  and 
supporting  documentation  of  the  implemented  additional  corrective 
actions  to  determine  if  the  service  provider  is  ready  for  a  second  SSAE 
No.  16  examination  and,  if  so,  authorizes  the  service  provider  to  engage 
an  auditor  to  perform  a  second  SSAE  No.  16  examination.  If  the  service 
provider  receives  an  unqualified  opinion  on  the  first  SSAE  No.  16 
examination,  the  FIAR  Directorate  will  not  require  the  service  provider  to 
undergo  a  second  audit  as  part  of  the  SSAE  No.  16  Examination  Phase. 
Figure  1  illustrates  a  summary  of  the  process  in  the  FIAR  Guidance 
related  to  the  submission,  review,  and  approval  of  the  service  providers’ 
documentation  for  audit  readiness. 
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Figure  1:  FIAR  Guidance  Process  for  the  Submission,  Review,  and  Approval  of  the  Service  Providers’  Documentation  for 
Audit  Readiness 
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The  FIAR  Directorate  is  responsible  for  reviewing  and  validating  DOD  components’  supporting  documentation  to  determine  whether  the  components  are 
audit  ready. 


The  Statement  on  Standards  for  Attestation  Engagements  (SSAE)  No.  16  examination  provides  standards  for  auditors  to  follow  for  reporting  on 
controls  at  organizations  that  provide  services  to  user  entities  when  those  controls  are  likely  to  be  relevant  to  user  entities'  internal  control  over  financial 
reporting. 


The  Financial  Improvement  Plans  (FIP)  is  a  framework  for  planning,  executing  and  tracking  the  steps  and  supporting  documentation  necessary  to 
achieve  audit  readiness. 


Sources:  DOD’s  Financial  Improvement  and  Audit  Readiness  (FIAR)  Guidance,  March  2013,  and  FIAR  Directorate  officials. 


DFAS’s  Contract  Pay  End-  DFAS  is  the  service  provider  responsible  for  processing,  accounting,  and 
tO-End  Business  Process  reporting  contract  pay  for  DOD  components.  Figure  2  illustrates  the 

relevant  systems  and  end-to-end  process,  which  includes  contract  input, 
invoice  entitlements,  pre-validation,  disbursing,  Treasury  reporting, 
accounting  and  reconciliation,  and  contract  closeout  and  reconciliation 
processes. 
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Source:  GAO  analysis  of  DFAS  contract  pay  process  information. 


1 .  Contract  input:  The  components  electronically  transmit  contract 
award  data  and  related  document  images  through  their  contract 
writing  systems  into  the  Mechanization  of  Contract  Administration 
Services  (MOCAS)  system.21  DFAS  reported  that  some  contract 
awards  are  issued  with  manually  produced  documents,  which  the 


21  DFAS  uses  MOCAS  to  process  and  make  contract  payments  for  the  Army,  Navy,  Air 
Force,  and  other  DOD  organizations. 
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components  mail  or  fax  to  DFAS  for  input  into  MOCAS.  DFAS’s 
Contract  Input  Branch  personnel  validate  the  contract  data  before 
inputting  them  into  MOCAS. 

2.  Invoice  entitlements:  Contractors  electronically  transmit  invoices  to 
DFAS  for  payment  processing  in  MOCAS;  however,  if  these  invoices 
do  not  pass  a  series  of  automatic  validation  edits  in  MOCAS,  they  are 
rejected  by  the  system.  DFAS’s  Entitlement  branch  personnel  process 
these  transactions  utilizing  its  Entitlement  Automation  System 
(EAS).22  MOCAS  perform  edits  to  validate  the  invoices  in  MOCAS  or 
EAS  and  compare  the  contract  obligations,  invoices,  and  receiving 
reports.  DFAS’s  entitlement  branch  personnel  also  utilize  the 
Business  Activity  Monitoring  (BAM)  tool  during  the  entitlement 
process  to  monitor  and  validate  the  contractors’  invoices.  The  BAM 
tool  is  a  monitoring  capability  that  DFAS  uses  to  identify  potential 
erroneous  or  improper  payments. 

3.  Pre-validation:  The  Elimination  of  Unmatched  Disbursements  (EUD) 
system  transmits  invoice  data  to  the  components’  accounting 
systems.23  The  components  review  the  invoice  data  transmitted  by 
EUD  and  approve  the  invoices  for  payment. 

4.  Disbursing:  Once  the  components  approve  the  invoices  for  payment, 
the  components  notify  DFAS  disbursing  operations  personnel  who 
input  the  approval  status  into  MOCAS.  MOCAS  processes  the 
approved  invoices  to  be  paid  either  by  check  or  electronic  funds 
transfer  (EFT).  MOCAS  generates  a  disbursement  file  that  identifies 
all  invoices  to  be  paid.  A  certifying  official  reviews  the  disbursement 
file  for  accuracy  prior  to  payment  being  made.  After  approval  by  the 
certifying  official,  DFAS’s  Disbursing  Operations  personnel  either  mail 
the  checks  to  contractors  or  transmit  the  EFT  file  to  the  Federal 
Reserve  Bank  to  make  the  payment. 


22EAS  is  an  application  designed  to  allow  users  to  view  the  contingent  liability  of  the 
specific  contract  and  invoice  information,  make  payments,  and  edit  existing  payments,  as 
well  as  view  and  print  online  reports. 

oo 

The  EUD  contains  two  modules:  (1)  Pay  Pre-validation  Module  (PPVM)  and 
(2)  Accounting  Pre-validation  Module  (APVM).  PPVM  is  a  module  of  the  EUD  system  that 
is  used  by  DFAS  to  download  the  entitlement  data  from  MOCAS  and  communicate  the 
data  to  APVM.  APVM  is  a  module  of  the  EUD  system  that  transfers  data  from  PPVM  to 
the  components’  general  ledger  to  determine  whether  the  contract  invoices  have  valid 
obligations. 
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5.  Treasury  reporting:  Once  the  disbursements  are  processed, 

MOCAS  interfaces  with  the  Defense  Cash  Accountability  System 
(DCAS),  which  is  the  system  used  by  DFAS  to  generate  and  submit 
monthly  reports  on  contract  pay  disbursements  to  the  Department  of 
the  Treasury  (Treasury).24 

6.  Accounting  and  reconciliation:  DFAS’s  Contract  Branch  personnel 
generate  a  disbursement  file  from  MOCAS  that  is  provided  to  the 
components  to  record  the  contract  disbursements  into  their  general 
ledgers.  DFAS  is  also  responsible  for  the  reconciliation  of  the 
disbursements  transactions  in  MOCAS  to  the  components’  general 
ledgers;  however,  DFAS  has  yet  to  implement  this  process. 

7.  Contract  closeout  and  reconciliation:  DFAS’s  Contract  Branch 
personnel  assist  the  components  during  the  contract  closeout  and 
reconciliation  processes,  for  example,  with  paying  final  vouchers  and, 
when  needed,  resolving  unreconciled  balances  on  a  contract.  DFAS 
officials  explained  that  they  utilize  the  Standard  Contract 
Reconciliation  Tool  (SCRT)  to  investigate  differences  in  contract 
payment  data  between  MOCAS  and  the  components’  general  ledgers 
upon  request  from  the  components  and  to  process  the  necessary 
adjustments.  Most  of  these  requests  are  submitted  to  DFAS  from  the 
components  during  the  contract  closeout  procedures. 


DFAS  Did  Not  Fully 
Implement  Its 
Contract  Pay  FIP  in 
Compliance  with  the 
FIAR  Guidance 


DFAS  recognized  the  importance  of  implementing  a  FIP  to  improve  its 
contract  pay  processes,  systems,  and  controls,  and  performed  steps 
required  by  the  FIAR  Guidance,  such  as  performing  internal  control, 
information  technology  (IT),  and  substantive  testing.  However,  we  found 
that  DFAS  did  not  fully  comply  with  the  requirements  in  the  FIAR 
Guidance  to  improve  its  contract  pay  processes,  systems,  and  controls. 
For  example,  our  review  found  that  DFAS  did  not  perform  adequate 
planning  and  testing  activities  for  the  Discovery  Phase  of  its  FIP.  In 
addition,  DFAS  did  not  provide  adequate  documentation  for  several 
corrective  action  plans  to  support  that  it  has  remediated  identified  control 
deficiencies.  DFAS  asserted  in  October  2013  that  its  contract  pay  controls 
were  suitably  designed  and  operating  effectively  to  undergo  an  audit,  and 
awarded  a  contract  to  an  independent  public  accounting  firm  prior  to  fully 
remediating  the  deficiencies  it  identified  during  the  implementation  of  its 


24Federal  agencies  are  required  to  submit  monthly  reports  to  Treasury  with  information 
relating  to  the  agency’s  collections  and  disbursements. 
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contract  pay  FIR.25  Without  fully  implementing  the  financial  improvement 
steps  required  in  the  FIAR  Guidance,  DFAS  does  not  have  assurance 
that  its  processes,  systems,  and  controls  can  produce  and  maintain 
accurate,  complete,  and  timely  financial  management  information  for 
contract  pay.  Further,  the  deficiencies  noted  will  affect  the  components’ 
ability  to  rely  on  DFAS’s  controls  over  contract  pay,  ultimately  increasing 
the  risk  that  DOD’s  goal  for  an  auditable  SBR  will  not  be  achieved  in  its 
planned  time  frame.  Figure  3  provides  a  summary  of  the  results  of  our 
review  of  DFAS’s  contract  pay  FIP. 


25DFAS  entered  into  an  $867,257  contract  with  the  independent  public  accounting  firm  for 
the  SSAE  No.  16  examination  covering  the  period  from  November  201 3  to  September 
2014.  This  contract  also  includes  4  option  years  that  could  be  exercised  for  a  total  of 
$3.3  million. 
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Figure  3:  DFAS’s  Implementation  of  Its  Contract  Pay  FIP 


FIAR  guidance  phases  and  steps 

Met 

DFAS  provided  sufficient 
documentation  that 
satisfies  the  criteria 

Partially  met 

DFAS  provided 
documentation  that 
partially  satisfies  the  criteria 

Not  met 

DFAS  did  not  provide 
any  documentation  that 
satisfies  the  criteria 

Discovery  (service  provider) 

Overall  planning  activities 

Document  coordination  with  the  components  to 
scope  the  FIP  within  a  memorandum  of 
understanding 

V 

Document  its  end-to-end  business  processes 

V 

Assess  the  materiality  of  the  processes  and 
systems 

V 

Plan  and  execute  internal  control  and 
substantive  testing 

V 

Test  the  information  technology  controls  for 
each  significant  system  and  application 

V 

Identify  and  classify  the  identified  weaknesses 
in  control  activities  and  notify  components  of 
any  material  weaknesses 

Corrective  actions  (service  provider) 

Develop  and  implement  corrective  actions 
plans 

V 

Update  FIP  status  report  to  show  progress  in 
executing  corrective  action  plans 

Notify  the  FIAR  Directorate  that  corrective 
action  phase  has  been  completed  and 

develop  audit  strategy 


Source:  GAO  analysis  of  DFAS  FIP. 


Discovery  Phase:  DFAS 
Did  Not  Adequately 
Complete  Required  Key 
Tasks 


DFAS  developed  flowcharts  and  narratives  and  performed  internal 
control,  substantive,  and  IT  testing.  Based  on  the  testing  performed 
during  the  Discovery  Phase,  DFAS  identified  a  total  of  399  deficiencies. 
Specifically,  DFAS  identified  20  internal  control  deficiencies  and  379  IT 
control  deficiencies — 20  related  to  general  controls  and  359  related  to 
application  controls.  However,  we  found  that  DFAS  did  not  (1)  adequately 
perform  the  required  planning  activities  for  its  contract  pay  FIP,  such  as 
assessing  the  materiality  of  its  processes  and  systems;  (2)  adequately 
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DFAS’s  Overall  Planning 
Activities 


perform  the  required  testing;  and  (3)  properly  classify  the  identified 
deficiencies.  As  a  result,  additional  deficiencies  may  exist  that  could 
negatively  affect  DFAS  processes,  systems,  and  controls  that  are  relied 
upon  by  DOD  components. 

DFAS  developed  a  high-level  end-to-end  flowchart  for  contract  pay  that 
identified  seven  key  processes  and  prepared  detailed  flowcharts  and 
narratives  for  four  of  these  seven  key  processes.  However,  DFAS  did  not 
perform  all  activities  required  by  the  FIAR  Guidance.  Specifically,  based 
on  our  review  of  the  contract  pay  FIP,  DFAS  did  not: 

•  prepare  a  memorandum  of  understanding  for  each  of  the  DOD 
components  that  documented  roles  and  responsibilities  for 
transactions,  supporting  documentation  retention,  and  audit  readiness 
activities; 

•  prepare  detailed  flowcharts  and  narratives  for  three  of  the  seven  key 
processes:  (1)  reporting  of  disbursements  to  Treasury,  (2)  accounting 
and  reconciliation  of  contract  pay  disbursements  to  the  components’ 
general  ledgers,  and  (3)  contract  closeout;  and 

•  assess  the  materiality  of  its  processes  and  systems  based  on  dollar 
activity  and  risk  factors. 


DFAS  officials  stated  that  they  coordinated  with  the  DOD  components  to 
develop  the  contract  pay  FIP;  however,  DFAS  did  not  maintain  meeting 
minutes  and  was  unable  to  provide  documentation  to  support  the 
components’  input  or  concurrence  with  the  decisions  made.  DFAS  is 
developing  a  Concept  of  Operations  (CONOPS)  to  supplement  existing 
mission  work  agreements  that  it  has  established  with  each  component  to 
comply  with  the  requirements  in  the  FIAR  Guidance  for  the  service 
providers  to  develop  a  memorandum  of  understanding.26  However,  DFAS 
has  not  established  a  time  frame  for  when  the  CONOPS  will  be 
completed.  In  addition,  our  review  of  the  draft  CONOPS  and  existing 
mission  work  agreements  showed  that  they  do  not  address  all  the 
requirements  reflected  in  the  FIAR  Guidance.  For  example,  these 
documents  do  not: 


26A  CONOPS  is  a  document  used  to  describe  an  organization,  its  mission,  and  the 
organizational  objectives.  DFAS  stated  that  the  purpose  of  its  draft  CONOPS  is  to  define 
roles  and  responsibilities  for  the  contract  pay  examination  under  SSAE  No.  16. 
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•  identify  the  roles  and  responsibilities  for  authorizing,  initiating, 
processing,  recording,  and  reporting  of  transactions; 

•  identify  the  roles  and  responsibilities  for  the  creation,  completion,  and 
retention  of  supporting  documentation;  and 

•  identify  the  supporting  documentation  that  should  be  retained  for  each 
business  process  and  transaction  type. 


DFAS  officials  stated  that  they  did  not  assess  materiality  and  risk  level  for 
determining  what  processes,  systems,  and  controls  needed  to  be 
included  in  DFAS’s  contract  pay  FIP  because  their  approach  consisted  of 
including  in  the  FIP  the  processes  and  systems  that  were  common  to  at 
least  three  or  more  components.  By  applying  this  approach,  they 
determined  that  the  three  processes  that  were  excluded  were  used  by 
two  or  fewer  components.  For  example,  each  client  has  a  different 
general  ledger  system;  therefore,  DFAS  did  not  consider  the  general 
ledger  reconciliation  process  to  be  a  common  service.  However,  this 
approach  did  not  comply  with  the  requirements  in  the  FIAR  Guidance, 
which  requires  service  providers  to  determine  the  processes  to  be 
covered  in  the  FIP  based  on  whether  the  process  is  critical  to  the  audit 
readiness  efforts  as  defined  by  both  materiality  and  risk.  As  a  result,  and 
as  shown  in  figure  4,  DFAS  excluded  from  the  FIP  three  of  its  key 
contract  pay  processes:  (1)  reporting  of  disbursements  to  Treasury, 

(2)  accounting  and  reconciliation  of  contract  pay  disbursements  to  the 
components’  general  ledgers,  and  (3)  contract  closeout. 
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Figure  4:  Processes,  Systems,  and  Controls  Addressed  and  Not  Addressed  in  DFAS’s  Contract  Pay  FIP 


Process  included  in  DFAS  Contract  Pay  FIP 
©  Process  not  included  in  DFAS  Contract  Pay  FIP 

Source:  GAO  analysis  of  DFAS  contract  pay  process  information. 


These  processes  excluded  by  DFAS  from  its  FIP  are  intended  to  help 
ensure  that  the  contract  disbursements  processed  by  DFAS  are 
accurately  recorded  and  maintained  in  the  components’  general  ledgers 
and  that  the  status  of  DOD’s  contract  obligations  is  accurate  and  up-to- 
date.  At  the  time  of  the  implementation  of  its  contract  pay  FIP,  DFAS  had 
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DFAS  Internal  Control  and 
Substantive  Testing 


not  established  a  general  ledger  reconciliation  process.  DOD’s  Financial 
Management  Regulation  (FMR)  requires  DFAS  to  reconcile 
disbursements  transactions  to  the  components’  general  ledger,27  and  the 
FIAR  Guidance  notes  that  the  DOD  components  will  not  be  able  to 
successfully  pass  an  audit  without  transaction-level  reconciliation  to  the 
general  ledger.  Standards  for  Internal  Control  in  the  Federal  Government 
states  that  control  activities  such  as  reconciliations  are  an  integral  part  of 
an  entity’s  planning,  implementing,  reviewing,  and  accountability  for 
stewardship  of  government  resources  and  achieving  effective  results.28 
DFAS  officials  explained  that  DFAS  is  evaluating  the  three  processes 
excluded  from  its  contract  pay  FIP  for  each  of  the  components  to  support 
their  audit  readiness  efforts  and  that  they  will  provide  the  results  of  these 
efforts  to  the  affected  components  before  the  components  assert  audit 
readiness  for  contract  pay.  Specifically,  these  officials  indicated  that  they 
have  established  a  general  ledger  reconciliation  process  and  plan  to 
evaluate  it  and  the  other  two  processes  (i.e. ,  the  reporting  of 
disbursements  to  Treasury  and  contract  closeout  processes)  in  support  of 
the  Departments  of  the  Navy,  Air  Force,  and  Army  with  a  completion  date 
of  June  2014.  However,  DFAS  did  not  provide  sufficient  documentation 
for  us  to  assess  the  scope  and  methodology  of  these  efforts  or  to  confirm 
the  completion  status. 

Without  an  adequately  scoped  and  planned  FIP,  DFAS  will  not  be  able  to 
ensure  that  it  is  covering  all  key  processes  that  will  materially  affect  the 
timeliness,  accuracy,  and  reliability  of  its  contract  pay  transaction  data.  As 
a  result,  even  though  DFAS  has  already  asserted  audit  readiness,  DFAS 
does  not  have  assurance  that  its  FIP  will  satisfy  the  needs  of  the 
components  or  provide  the  expected  benefits  to  the  department-wide 
efforts  to  assert  audit  readiness  for  contract  pay  as  a  key  element  of  the 
SBR. 

DFAS  performed  both  internal  control  and  substantive  testing;  however, 
DFAS  did  not  validate  the  populations  of  transactions  used  to  perform  the 
testing.  Therefore,  DFAS’s  test  results  cannot  be  generalized  to  support 
the  assertion  that  its  controls,  and  its  transaction  activities  and  balances, 


27DOD  Financial  Management  Regulation  7000. 14-R  (FMR),  vol.  6A,  ch.  2,  Financial 
Reports  Roles  and  Responsibilities,  Section  020204  (August  201 1 ). 

28GAO,  Standards  for  Internal  Control  in  the  Federal  Government,  GAO/AIMD-OO-21.3.1 
(Washington,  D.C.:  November  1999). 
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are  audit  ready.  The  FIAR  Guidance  requires  service  providers  to  validate 
the  population  of  transactions  to  be  tested  prior  to  performing  internal 
control  and  substantive  testing  by  reconciling  the  population  to  the 
general  ledger  and  assessing  it  for  invalid  transactions,  abnormal 
balances,  and  missing  data  fields.  As  noted  earlier,  at  the  time  of  the 
implementation  of  its  contract  pay  FIP,  DFAS  had  not  established  a 
general  ledger  reconciliation  process. 

In  response  to  our  inquiries,  DFAS  officials  stated  that  they  had  validated 
the  populations  and  provided  to  us  a  copy  of  a  data  reliability 
assessment.  According  to  the  FIAR  Guidance,  a  data  reliability 
assessment  is  intended  to  document  a  comparison  of  the  transaction  data 
to  the  components’  general  ledgers  and  data  mining  performed  to  identify 
any  outliers.29  However,  the  data  reliability  assessment  provided  by  DFAS 
did  not  contain  such  a  comparison  or  address  data  mining  activities. 
Instead,  the  data  reliability  assessment  provided  background  information 
on  the  Shared  Data  Warehouse  (SDW),  which  is  the  database  used  by 
DFAS  to  generate  the  samples  of  transactions  tested.  SDW  was 
developed  by  DFAS  as  a  tool  to  generate  reports  for  the  disbursements 
recorded  in  MOCAS  because  MOCAS  has  limited  query  capabilities.  As  a 
result,  SDW  is  used  by  DFAS  to  store  contract  administration  and 
payment  data  collected  from  MOCAS,  conduct  queries,  and  produce 
reports.  Because  SDW  is  a  database  that  stores  data  from  MOCAS,  this 
comparison  is  not  an  adequate  reconciliation  and,  in  essence,  represents 
a  comparison  of  the  transactions  recorded  in  MOCAS  to  MOCAS  itself. 

An  effective  reconciliation  process  would  involve  comparing  transactions 
to  supporting  documentation,  systems  of  record,  or  both  to  ensure  the 
completeness,  validity,  and  accuracy  of  financial  information.  Even  if 
DFAS  had  performed  an  adequate  reconciliation  process,  according  to 
the  data  reliability  assessment  that  DFAS  provided,  the  population  of 
transactions  validated  by  DFAS  only  covered  the  disbursements  for  1 
day,  not  the  population  of  data  for  the  entire  fiscal  year  that  was  used  by 
DFAS  to  select  the  samples  that  were  tested. 

DFAS  did  not  identify  any  deficiencies  related  to  its  substantive  testing  of 
the  contract  disbursements  recorded  in  MOCAS  and  identified  20 
deficiencies  related  to  its  internal  control  testing.  However,  because 


oq 

For  purposes  of  data  mining,  outliers  are  those  transactions  that  are  unusual  and  invalid 
and  have  abnormal  balances  (e.g.,  negative  obligations)  or  instances  where  data  fields 
are  missing. 


Page  20 


GAO-14-10  DFAS  Contract  Pay 


DFAS  Testing  of  Information 
Technology  Controls 


DFAS  did  not  validate  the  population  used  to  perform  internal  control  and 
substantive  testing,  additional  deficiencies  may  exist  in  DFAS’s  contract 
pay  controls  and  errors  may  exist  in  the  recorded  transactions  activity  and 
balances. 

We  found  that  DFAS  did  not  perform  sufficient  general  and  application 
controls  testing.30  Further,  DFAS  did  not  develop  an  audit  plan  or  strategy 
for  its  application-level  testing.  As  a  result,  DFAS  did  not  have  support  for 
the  scope  of  its  application-level  testing,  such  as  its  rationale  for 
excluding  a  significant  number  of  the  controls  from  the  testing  of  several 
of  the  systems  DFAS  classified  as  key  for  contract  pay,  even  though  the 
FIAR  Guidance  requires  consideration  of  such  controls.  For  the  controls  it 
did  test,  DFAS  found  numerous  deficiencies  that  needed  to  be 
addressed.  Specifically,  DFAS  found  issues  with  20  entity-level  general 
controls  and  359  application-level  controls. 

General  controls:  DFAS  tested  122  of  the  261  entity-level  general 
controls  identified  in  the  FIAR  Guidance;  however,  it  did  not  determine 
whether  the  remaining  139  controls  were  relevant  and  should  have  been 
tested.  DFAS  officials  told  us  that  they  decided  to  focus  the  entity-level 
testing  on  the  122  controls  identified  by  the  FIAR  Guidance  as  having  the 
highest  relevance  for  a  financial  statement  audit  because  of  resource 
constraints.  Based  on  the  entity-level  controls  that  were  tested,  DFAS 
identified  20  general  control  deficiencies  at  the  entity  level  that  were 
related  to  either  the  design  or  operation  of  controls,  such  as  inappropriate 
segregation  of  duties  and  inadequate  monitoring  of  system  access 
privileges.  However,  because  of  the  limited  testing  performed,  additional 
deficiencies  may  exist  that  were  not  identified. 


on 

General  controls  are  the  policies  and  procedures  that  apply  to  all  or  a  large  segment  of 
an  entity’s  information  systems  and  help  ensure  their  proper  operation.  Application 
controls,  sometimes  referred  to  as  business  controls,  are  incorporated  directly  into 
computer  applications  to  help  ensure  the  validity,  completeness,  accuracy,  and 
confidentiality  of  data  during  application  processing  and  reporting.  The  effectiveness  of 
general  controls  is  a  significant  factor  in  determining  the  effectiveness  of  application 
controls.  For  example,  automated  edits  designed  to  preclude  users  from  entering 
unreasonably  large  dollar  amounts  in  a  payment  processing  system  can  be  an  effective 
application  control.  However,  this  control  is  not  effective  (cannot  be  relied  on)  if  the 
general  controls  permit  unauthorized  program  modifications  that  might  allow  some 
payments  to  be  exempted  from  the  edits  or  unauthorized  changes  to  be  made  to  data  files 
after  the  edit  is  performed. 
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DFAS  officials  acknowledged  that  they  needed  to  assess  the  other  139 
entity-level  controls  and  planned  to  perform  such  an  assessment  during 
fiscal  year  2014.  However,  as  stated  previously,  DFAS  asserted  in 
October  2013  that  its  contract  pay  process  was  audit  ready  and  did  so 
without  having  assessed  these  139  entity-level  controls.  Without  effective 
entity-level  general  controls,  application-level  controls  may  be  rendered 
ineffective  by  circumvention  or  modification.  As  a  result,  these 
deficiencies  can  materially  affect  the  effectiveness  of  DFAS  application- 
level  controls.  For  example,  edits  designed  to  preclude  users  from 
entering  unreasonably  large  dollar  amounts  in  a  payment  processing 
system  can  be  an  effective  application  control.  However,  this  control 
cannot  be  relied  on  if  the  general  controls  permit  unauthorized  program 
modifications  that  might  allow  some  payments  to  be  exempt  from  the  edit. 

Application-level  controls:  DFAS  performed  application-level  testing  for 
the  six  system  applications  it  determined  to  be  key  to  its  contract  pay 
systems.  However,  DFAS  did  not  develop  audit  plans  or  strategies  to 
guide  its  application-level  control  testing  for  all  six  systems  and  did  not 
perform  sufficient  testing  for  three  of  its  systems — BAM,  SCRT,  and  EUD- 
Accounting  Pre-validation  Module  (APVM).  The  FIAR  Guidance  requires 
service  providers  to  follow  the  Federal  Information  System  Controls  Audit 
Manual  (FISCAM)  to  test  the  IT  controls  of  the  systems  and  applications 
that  are  necessary  to  achieve  audit  readiness.31  FISCAM  requires  a 
written  audit  program  or  strategy  that  describes  the  objective,  scope,  and 
methodology  for  the  testing  of  IT  controls.  Entities  are  required  to  use  the 
information  documented  in  the  audit  plan  or  strategy  to  determine  the 
nature,  timing,  and  extent  of  the  IT  test  procedures.  DFAS  officials 
explained  that  they  did  not  document  a  plan  or  strategy  for  application- 
level  controls  because  they  were  performing  self-assessments  and  not 
audits.  They  also  stated  that  some  of  their  staff  members  did  not  know 
how  to  perform  a  FISCAM  audit  and  that  this  was  a  learning  experience. 
However,  the  FIAR  Guidance  requires  DOD  components  to  follow  a 
process  similar  to  an  audit  to  obtain  sufficient  evidence  that  the 
organization  is  audit  ready.  DFAS  officials  stated  that  they  recognized 
that  the  assessments  could  be  improved,  but  noted  that  the  FIAR 
Directorate  had  validated  the  results  of  its  application-level  testing. 


31  FISCAM  is  a  methodology  for  performing  information  system  control  audits  of  federal 
and  other  governmental  entities  in  accordance  with  professional  standards.  GAO,  Federal 
Information  System  Controls  Audit  Manual  (FISCAM),  GAO-09-232G  (Washington,  D.C.: 
February  2009). 
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In  addition,  DFAS  did  not  perform  sufficient  application-level  testing  for 
BAM,  SCRT,  and  EUD-APVM.  Out  of  the  163  controls  required  by  the 
FIAR  Guidance  to  be  considered  for  each  system,  DFAS  tested  40 
controls  for  EUD-APVM,  32  for  BAM,  and  9  for  SCRT.  DFAS  provided  us 
a  document  to  support  how  it  selected  the  key  controls  that  were  tested 
for  these  systems  and  its  reasoning  for  excluding  from  the  testing  most  of 
the  controls  that  are  required  by  the  FIAR  Guidance.  However,  this 
document  did  not  adequately  support  DFAS’s  scope  and  methodology  for 
testing  these  systems.  For  example,  the  document  stated  that  either 
limited  or  no  testing  was  performed  of  certain  control  areas,  such  as  the 
application-level  general  controls  for  Security  Management  and 
Contingency  Planning,  because  those  controls  were  tested  at  the  entity  or 
system  level;  however,  DFAS’s  review  of  entity-level  controls  did  not 
cover  any  application-related  controls.  Further,  as  stated  earlier,  DFAS 
did  not  perform  sufficient  testing  of  its  entity-level  controls.  Although  the 
Defense  Information  Systems  Agency  (DISA) — which  is  responsible  for 
the  mainframe  platforms  where  DFAS’s  contract  pay  systems  are 
executed  and  maintained — received  an  unqualified  opinion  on  its  SSAE 
No.  16  examination,  this  examination  did  not  cover  DFAS’s  application- 
level  controls.32  DISA’s  SSAE  No.  16  report  also  recognized  the  need  for 
its  user  entities  to  implement  complementary  controls  in  different  areas, 
including  backup  and  recovery  management.  As  a  result,  the  application- 
level  testing  performed  by  DFAS  for  BAM,  SCRT,  and  EUD-APVM  was 
not  sufficient  and  did  not  comply  with  the  FIAR  Guidance. 

Based  on  its  limited  testing  of  application-level  controls,  DFAS  identified  a 
total  of  359  deficiencies.  For  example,  DFAS  found  deficiencies  in  its 
access  controls,  such  as  a  lack  of  processes  to  ensure  that  users’  system 
access  is  authorized  and  limited  to  job  responsibilities.  DFAS  also  found  a 
lack  of  adequate  policies  and  procedures  to  ensure  proper  segregation  of 
duties  and  related  monitoring  processes.  Because  DFAS  did  not  use  a 
documented  plan  or  strategy,  and  did  not  have  adequate  evidence  on 
whether  its  application-level  control  testing  was  adequately  designed,  it 
did  not  obtain  the  necessary  assurance  that  its  contract  pay  data  are 
valid,  complete,  and  accurate.  This  increases  the  risk  that  additional 
deficiencies  exist  that  were  not  identified  during  the  application-level 


op 

DISA  is  a  DOD  service  provider  responsible  for  managing  major  portions  of  DOD’s 
common  global  IT  resources,  providing  services  and  operating  and  maintaining  systems 
that  support  the  computing,  networking,  and  information  needs  of  the  national  command 
authority,  military  services,  joint  military  commands,  and  defense  agencies. 
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testing,  which  in  turn  hinders  DFAS’s  ability  to  remediate  existing 
deficiencies  thus  adversely  affecting  audit  readiness. 


DFAS  Classification  of 
Identified  Deficiencies  and 
Coordination  with  the 
Components 


DFAS  did  not  coordinate  and  work  with  the  components  to  assess  the 
impact  of  the  identified  deficiencies  on  the  components’  audit  readiness 
efforts  and  classify  the  deficiencies  as  control  deficiencies,  significant 
deficiencies,  or  material  weaknesses  as  required  by  the  FIAR  Guidance. 
DFAS  officials  explained  that  they  classified  the  identified  deficiencies  into 
high-,  medium-,  or  low-risk  categories  based  on  their  assessment  of  the 
risk  to  DFAS  not  being  able  to  achieve  its  control  objectives.33  These 
officials  indicated  that  they  did  not  follow  the  FIAR  Guidance  for  risk 
classification  because  SSAE  No.  16  states  that  the  service  provider  will 
not  be  able  to  determine  the  impact  of  the  identified  deficiencies  on  the 
components’  financial  statements.  DFAS  officials  also  stated  that  in  order 
for  them  to  classify  the  deficiencies  as  control  deficiencies,  significant 
deficiencies,  or  material  weaknesses  as  required  by  the  FIAR  Guidance, 
they  would  need  to  obtain  information  from  the  components  regarding 
their  processes  and  controls  affected  by  the  identified  deficiencies. 

The  FIAR  Guidance  recognizes  that  this  coordination  is  needed  to 
determine  the  effect  of  the  identified  deficiencies  on  the  components’ 
financial  statements,  which  is  the  intent  of  DOD’s  overall  FIAR  effort. 
Further,  the  FIAR  Guidance  states  that  because  of  the  complexities 
inherent  in  DOD  component  and  service  provider  relationships  and 
associated  audit  readiness  interdependencies,  it  is  essential  that  such 
coordination  is  documented  in  a  memorandum  of  understanding.  While 
an  SSAE  No.  16  examination  is  intended  to  provide  assurance  regarding 
the  control  environment  of  the  service  providers,  the  FIAR  effort  is 
intended,  among  other  things,  to  provide  assurance  that  the  components 
are  ready  for  a  financial  statement  audit.  To  do  this,  the  components  must 
be  aware  of  the  impact  of  the  deficiencies  in  the  service  provider’s  control 
environment  so  that  they  can  assess  their  risks  and  identify  and 
implement  compensating  controls  if  needed.  Because  DFAS  did  not 
adequately  classify  the  identified  deficiencies  and  assess  their  related 
impact  to  the  components,  DOD  components  will  not  be  able  to  obtain  a 
complete  understanding  of  the  impact  of  the  deficiencies  identified  by 


oo 

DFAS  classified  as  high  risk  the  deficiencies  that  if  not  remediated  could  negatively 
affect  its  ability  to  assert  audit  readiness.  In  addition,  DFAS  classified  as  medium  and  low 
risk  the  deficiencies  that  needed  to  be  considered  in  aggregate  to  determine  the  potential 
impact  to  its  audit  readiness  assertion. 


Page  24 


GAO-14-10  DFAS  Contract  Pay 


DFAS  on  their  own  control  environments  and  design  and  implement 
compensating  controls  to  mitigate  the  effect  of  DFAS’s  control 
deficiencies  on  their  financial  operations. 


Corrective  Action  Phase: 
DFAS  Did  Not  Adequately 
Complete  Required  Key 
Tasks 


DFAS  notified  the  FIAR  Directorate  that  it  had  implemented  the 
necessary  corrective  action  plans  and  developed  an  audit  readiness 
strategy;  however,  we  found  that  DFAS  did  not  (1)  take  the  necessary 
corrective  actions  or  maintain  sufficient  documentation  for  18  of  25 
deficiencies  DFAS  reported  as  remediated  that  we  reviewed  and 
(2)  properly  update  the  Corrective  Action  Phase  section  of  its  FIP  status 
report.  DFAS’s  audit  strategy  consisted  of  its  contract  pay  FIP  undergoing 
an  SSAE  No.  16  examination  and,  as  stated  earlier,  DFAS  evaluating  the 
three  processes  excluded  from  its  contract  pay  FIP  for  each  of  the 
components  to  support  their  audit  readiness  efforts.  However,  DFAS  did 
not  provide  documentation  (an  updated  CONOPS  or  memorandum  of 
understanding)  to  show  that  it  had  coordinated  with  the  components  to 
determine  how  it  would  support  their  audit  readiness  efforts  for  those 
processes  excluded  from  the  FIP  as  required  by  the  FIAR  Guidance. 
Further,  additional  deficiencies  may  exist  in  DFAS’s  contract  pay 
processes  and  systems  that  were  not  considered  during  the  Corrective 
Action  Phase  because,  as  discussed  previously,  DFAS  did  not 
(1)  validate  the  population  used  to  perform  internal  control  and 
substantive  testing  and  (2)  perform  sufficient  general  control  and 
application-level  testing.  As  a  result  of  these  deficiencies,  DFAS’s 
contract  pay  FIP  did  not  provide  sufficient  assurance  that  all  the 
deficiencies  that  may  materially  affect  the  accuracy  and  reliability  of  its 
contract  pay  transaction  data  had  been  fully  remediated.  The  FIAR 
Directorate  reviewed  the  DFAS’s  supporting  documentation  for  its 
contract  pay  FIP  and  authorized  DFAS  to  undergo  an  SSAE  No.  16 
examination. 


DFAS  Corrective  Action  Plans  DFAS  reported  that  it  had  developed  and  implemented  corrective  actions 

to  remediate  393  of  the  399  deficiencies  it  identified  as  part  of  the 
Discovery  Phase.  DFAS  officials  stated  that  for  the  6  deficiencies  that 
were  not  remediated  as  part  of  the  contract  pay  FIP,  DFAS  will  either 
address  the  deficiencies  subsequent  to  its  audit  readiness  assertion  or 
rely  on  other  components  to  address  these  deficiencies.  The  FIAR 
Guidance  requires  service  providers  to  remediate  each  identified 
deficiency  before  asserting  that  they  are  audit  ready.  In  addition,  2  of 
these  6  deficiencies  were  determined  by  the  FIAR  Directorate  to  be 
material.  However,  DFAS  did  not  provide  evidence  that  these  deficiencies 
were  remediated  before  asserting  audit  readiness  for  contract  pay. 
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We  selected  a  nongeneralizable  sample  of  25  control  deficiencies  DFAS 
reported  as  remediated  to  determine  whether  DFAS  had  adequately 
implemented  corrective  actions  to  remediate  the  identified  deficiencies.34 
Of  these  25  deficiencies,  we  found  that  DFAS  had  adequately  developed 
and  implemented  the  necessary  corrective  action  plans  for  7.  We  found 
the  following  for  the  remaining  18  deficiencies: 

•  For  3  deficiencies,  DFAS  did  not  develop  corrective  action  plans.  For 
example,  DFAS  reported  1  of  these  deficiencies  as  closed  because  it 
planned  to  rely  on  the  Defense  Contract  Management  Agency 
(DCMA)  to  remediate  the  identified  weaknesses.  Although  DFAS 
provided  documentation  of  DCMA’s  agreement  to  address  this 
deficiency,  DFAS  did  not  provide  documentation  to  support  that  this 
deficiency  had  been  remediated  by  DCMA.  In  addition,  DFAS 
reported  as  closed  2  deficiencies  related  to  the  reconciliation  of  its 
contract  pay  activity  with  the  components’  general  ledger  because,  as 
stated  earlier,  it  decided  not  to  address  this  reconciliation  as  part  of  its 
contract  pay  FIP.  DOD’s  FMR  and  the  FIAR  Guidance  require  DFAS 
to  reconcile  disbursement  transactions  to  the  components’  general 
ledgers,  and  the  FIAR  Guidance  notes  the  DOD  components  will  not 
be  able  to  successfully  pass  an  audit  without  transaction-level 
reconciliation  to  their  general  ledgers.  Standards  for  Internal  Control  in 
the  Federal  Government  states  that  control  activities  such  as 
reconciliations  are  an  integral  part  of  an  entity’s  planning, 
implementing,  reviewing,  and  accountability  for  stewardship  of 
government  resources  and  achieving  effective  results. 

•  For  eight  deficiencies,  the  corrective  action  plans  developed  by  DFAS 
were  not  adequate.  Corrective  action  plans  should  include,  among 
other  things,  the  responsible  point  of  contact,  the  root  causes  of  the 
deficiency,  and  resource  needs.35  However,  these  corrective  action 
plans  did  not  adequately  describe  the  root  causes  of  the  identified 
deficiencies  that  needed  to  be  corrected.  For  example,  half  of  these 
corrective  action  plans  only  described  the  control  requirements  from 
FISCAM  but  did  not  describe  the  underlying  root  cause  of  the 


34The  results  from  a  nongeneralizable  sample  cannot  be  used  to  make  inferences  about  a 
population. 

35United  States  Chief  Financial  Officers  Council,  Implementation  Guide  for  OMB  Circular 
A-123,  Management’s  Responsibility  for  Internal  Control,  Appendix  A,  Internal  Control 
over  Financial  Reporting  (Washington,  D.C.:  July  2005),  and  GAO,  DOD  Financial 
Management:  Ineffective  Risk  Management  Could  Impair  Progress  toward  Audit-Ready 
Financial  Statements,  GAO-13-123  (Washington,  D.C.:  Aug.  2,  2013). 
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DFAS’s  FIP  Status  Report 


deficiencies  identified  by  DFAS.  As  a  result,  these  corrective  action 
plans  do  not  provide  sufficient  information  to  perform  an  independent 
review  to  determine  whether  an  implemented  corrective  action 
remediated  the  identified  deficiency. 

•  For  the  remaining  7  deficiencies,  DFAS  did  not  provide  adequate 
documentation  to  support  that  the  corrective  action  plans  were 
adequately  implemented.  For  example,  DFAS  provided  us  a  copy  of  a 
documented  procedure  as  support  for  the  implementation  of  one  of  its 
corrective  action  plans;  however,  the  documented  procedure  provided 
by  DFAS  was  not  relevant  to  the  identified  deficiency.  In  addition, 
DFAS  did  not  provide  support  that  a  corrective  action  had  been  tested 
and  had  successfully  remediated  the  deficiency,  and  for  another 
deficiency  the  test  results  showed  that  it  had  not  been  successfully 
remediated  by  the  implemented  corrective  action.  Further,  the 
corrective  action  plan  for  another  deficiency  noted  that  it  would  not  be 
fully  remediated  until  February  2014,  which  was  4  months  after  DFAS 
asserted  audit  readiness. 

DFAS  stated  that  the  actions  taken  to  address  these  18  deficiencies  were 
appropriate.  However,  we  found  that  in  3  of  the  18  instances,  corrective 
actions  had  not  been  taken  as  required  by  the  FIAR  Guidance  and  that 
the  documentation  provided  by  DFAS  for  the  other  15  deficiencies  was 
insufficient.  Without  implementing  adequate  corrective  action  plans, 

DFAS  lacks  sufficient  assurance  that  these  identified  control  deficiencies 
were  remediated,  which  will  negatively  affect  the  accuracy  and  reliability 
of  its  contract  pay  transaction  data. 

DFAS  submitted  its  monthly  FIP  status  report  for  the  department  to 
monitor  its  progress  in  meeting  interim  and  long-term  goals.  However,  we 
found  that  DFAS’s  status  reports  were  not  accurate  and  complete.  For 
example,  although  DFAS  has  reported  since  November  2012  on  its  FIP 
status  report  that  its  Corrective  Action  Phase  was  completed  in  August 
2012,  DFAS  did  not  assert  its  Corrective  Action  Phase  as  complete  until 
October  2013.  Further,  DFAS  did  not  include  in  the  status  report  the 
information  required  by  the  FIAR  Guidance  for  the  Corrective  Action 
Phase,  such  as  the  identified  weaknesses  by  classification  (e.g.,  material 
weaknesses),  and  respective  corrective  actions  with  targeted  completion 
dates. 

DFAS  officials  explained  that  they  did  not  update  the  contract  pay  FIP 
status  report  to  include  the  information  required  by  the  FIAR  Guidance  for 
the  Corrective  Action  Phase  because  of  limitations  in  the  software  used  to 
maintain  the  FIP.  They  explained  that  the  software  does  not  allow  them  to 
make  significant  updates  to  the  FIP  and  they  would  have  to  develop  a 


Page  27 


GAO-14-10  DFAS  Contract  Pay 


work-around  to  update  the  FIP,  such  as  creating  a  new  project  in  the 
software  with  the  required  updates.  However,  this  information  is  key  for 
DOD’s  oversight  of  the  components’  audit  readiness  efforts,  as  it  is  used 
by  DOD’s  key  stakeholders  and  governing  bodies  for  financial 
improvement  and  audit  readiness  to  oversee  the  FIAR  effort  and  is 
reported  publicly  on  a  biannual  basis.  Further,  because  the  status 
information  reported  by  DFAS  is  inaccurate  and  incomplete,  it  could 
misinform  stakeholders  as  to  the  status  of  DFAS’s  audit  readiness  efforts 
and  negatively  affect  the  adequacy  and  effectiveness  of  the  components’ 
audit  readiness  plans  for  contract  pay. 

DFAS  Strategy  for  Supporting  DFAS  notified  the  FIAR  Directorate  that  it  had  implemented  the 

Components’  Audit  Readiness  necessary  corrective  action  plans  and  developed  an  audit  readiness 

Efforts  strategy.  The  FIAR  Directorate  reviewed  the  DFAS’s  supporting 

documentation  for  its  contract  pay  FIP  and  authorized  DFAS  to  undergo 
an  SSAE  No.  16  examination.  DFAS’s  audit  strategy  consisted  of 
undergoing  an  SSAE  No.  16  examination  for  its  contract  pay  FIP  and,  as 
stated  earlier,  evaluating  the  three  processes  excluded  from  its  contract 
pay  FIP  for  each  of  the  components  to  support  their  audit  readiness 
efforts.  However,  DFAS  did  not  provide  documentation  (an  updated 
CONOPS  or  memorandum  of  understanding)  to  show  that  it  had 
coordinated  with  the  components  to  determine  how  it  would  support  their 
audit  readiness  efforts  for  those  processes  excluded  from  the  FIP  as 
required  by  the  FIAR  Guidance.  For  example,  because  DFAS  has  not 
implemented  a  memorandum  of  understanding  with  the  components,  it  is 
unclear  whether  the  Army  implemented  the  necessary  compensating 
controls  in  the  absence  of  assurance  from  DFAS  that  its  contract  pay 
processes,  systems,  and  controls  were  designed  and  operating  as 
intended.  As  stated  earlier,  DFAS  has  not  completed  its  evaluation  of  the 
three  processes  that  were  excluded  from  its  contract  pay  FIP  for  the 
components,  including  the  Department  of  the  Army;  however,  the  Army 
asserted  in  June  2013  that  its  processes,  systems,  and  controls  for 
contract  pay  were  audit  ready.  In  addition,  DFAS  did  not  assert  audit 
readiness  of  the  processes,  systems,  and  controls  included  in  its  contract 
pay  FIP  until  October  2013.  Thus,  the  usefulness  of  DFAS’s  efforts  in 
support  of  the  Army’s  and  other  components’  audit  readiness  efforts 
remains  questionable. 


Conclusions 


DFAS  recognized  the  importance  of  implementing  a  FIP  to  improve  its 
contract  pay  processes,  systems,  and  controls  and  performed  steps 
required  by  the  FIAR  Guidance,  such  as  performing  internal  control,  IT, 
and  substantive  testing.  However,  DFAS  did  not  fully  comply  with  the 
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requirements  in  the  FIAR  Guidance  for  the  Discovery  and  Corrective 
Action  Phases;  therefore,  the  FIP  did  not  support  DFAS’s  October  2013 
assertion  that  its  contract  pay  controls  were  suitably  designed  and 
operating  effectively.  As  a  result,  DFAS  did  not  have  assurance  that  its 
processes,  systems,  and  controls  can  produce  and  maintain  accurate, 
complete,  and  timely  financial  management  information  for  the 
approximately  $200  billion  of  contract  pay  disbursements  it  annually 
processes  on  behalf  of  DOD  components.  For  example,  DFAS  did  not 
perform  adequate  planning  and  testing  activities  for  the  Discovery  Phase 
of  its  FIP.  In  addition,  DFAS  did  not  provide  adequate  documentation 
demonstrating  that  it  had  remediated  certain  identified  deficiencies. 
Although  DFAS  asserted  audit  readiness,  correcting  the  weaknesses 
identified  in  this  report  can  help  ensure  that  it  effectively  carries  out  its 
contract  pay  mission  and  implements,  maintains,  and  sustains  the 
necessary  financial  improvements  to  its  contract  pay  processes,  systems, 
and  controls.  Until  DFAS  does  so,  its  ability  to  properly  process,  record, 
and  maintain  accurate  and  reliable  contract  pay  transaction  data  is 
questionable. 


Recommendations  for 
Executive  Action 


Address  deficiencies  in  its  Discovery  Phase  planning  activities  for 
contract  pay  by  performing  the  following: 

•  Document  its  contract  pay  end-to-end  process  by  developing  the 
necessary  flowcharts  and  narratives  for  those  processes  excluded 
from  the  FIP. 

•  Assess  the  materiality  (i.e. ,  dollar  activity  and  risk  factors)  of  its 
processes,  systems,  and  controls. 

•  Complete  a  memorandum  of  understanding  with  each  of  the 
components. 

Address  deficiencies  in  its  Discovery  Phase  testing  activities  by 
performing  the  following: 


To  ensure  that  DFAS  is  able  to  obtain  the  necessary  assurance  that  its 
contract  pay  end-to-end  process  can  produce,  maintain,  and  sustain 
accurate,  complete,  and  timely  information  in  support  of  the  components’ 
and  DOD-wide  financial  improvement  and  audit  readiness  efforts,  we 
recommend  that  the  Under  Secretary  of  Defense  (Comptroller)/Chief 
Financial  Officer  direct  the  Director  of  the  Defense  Finance  and 
Accounting  Service  to  take  the  following  nine  actions: 
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•  Validate  the  completeness  and  accuracy  of  the  populations  of 
transactions  used  to  perform  testing. 

•  Consider  and  assess  the  design  and  operational  effectiveness  of  the 
entity-level  general  controls  that  were  not  tested  by  DFAS,  as 
appropriate. 

•  Document  and  execute  an  audit  strategy  or  plan  for  application-level 
testing  of  system  controls. 

•  Coordinate  with  the  components  to  classify  all  identified  deficiencies 
as  control  deficiencies,  significant  deficiencies,  and  material 
weaknesses. 

Address  deficiencies  in  its  Corrective  Action  Phase  activities  by 

performing  the  following: 

•  Assess  the  population  of  implemented  corrective  action  plans  to 
determine  whether  the  deficiencies  we  found  in  our  nongeneralizable 
sample  of  DFAS’s  corrective  action  plans  are  more  wide  spread  in  the 
population. 

•  Revise  its  FIAR  status  reports  to  accurately  reflect  the  current  status 
of  its  audit  readiness  efforts. 


Agency  Comments 
and  Our  Evaluation 


We  provided  a  draft  of  this  report  to  DOD  for  comment.  In  its  written 
comments,  reprinted  in  appendix  II,  DOD  concurred  with  our 
recommendations.  DOD  also  described  planned  and  ongoing  actions  that 
DFAS  and  the  FIAR  Directorate  are  taking  to  address  the 
recommendations,  including  developing  procedures  for  the  processes 
excluded  from  DFAS’s  contract  pay  FIP;  performing  a  materiality 
assessment  of  processes,  systems,  and  controls;  completing  a 
memorandum  of  understanding  to  document  roles  and  responsibilities  for 
each  component;  validating  the  completeness  and  accuracy  of 
populations  of  transactions  used  to  perform  testing;  and  reviewing  and 
certifying  corrective  actions. 

DOD  also  stated  that  significant  progress  had  been  made  but  much  work 
remained  to  be  accomplished  to  include  applying  lessons  learned  in 
implementing  the  FIAR  Guidance  during  audit  preparations,  as  our 
recommendations  indicated.  Further,  DOD  commented  that  there  had 
been  positive  results  and  it  was  expecting  a  favorable  opinion  from  the 
ongoing  independent  public  accountant  examination  being  conducted 
under  SSAE  No.  16.  However,  as  discussed  in  our  report,  the  scope  of 
DFAS’s  SSAE  No.  16  examination  was  limited  and  did  not  cover  all  key 
processes  that  will  materially  affect  the  timeliness,  accuracy,  and 
reliability  of  its  contract  pay  transaction  data.  Therefore,  until  DFAS 
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completes  its  other  efforts,  such  as  establishing  a  general  ledger 
reconciliation  process,  it  does  not  have  reasonable  assurance  that  its 
SSAE  No.  16  examination  will  satisfy  the  needs  of  the  components  or 
provide  the  expected  benefits  to  the  department-wide  effort  to  assert  audit 
readiness  for  contract  pay  as  a  key  element  of  the  SBR. 


We  are  sending  copies  of  this  report  to  the  Secretary  of  Defense,  the 
Under  Secretary  of  Defense  (Comptroller)/Chief  Financial  Officer,  the 
Director  of  the  Defense  Finance  and  Accounting  Service,  the  Director  of 
DFAS-Columbus,  the  Director  of  the  Office  of  Management  and  Budget, 
and  appropriate  congressional  committees.  In  addition,  the  report  is 
available  at  no  charge  on  the  GAO  website  at  http://www.gao.gov. 

If  you  or  your  staff  have  any  questions  about  this  report,  please  contact 
me  at  (202)  512-9869  or  khana@gao.gov.  Contact  points  for  our  Offices 
of  Congressional  Relations  and  Public  Affairs  may  be  found  on  the  last 
page  of  this  report.  GAO  staff  members  who  made  major  contributions  to 
this  report  are  listed  in  appendix  III. 
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To  determine  the  extent  to  which  the  Defense  Finance  and  Accounting 
Service  (DFAS)  implemented  its  contract  pay  Financial  Improvement  Plan 
(FIP)  in  accordance  with  the  Financial  Improvement  and  Audit  Readiness 
(FIAR)  Guidance,  we  compared  DFAS’s  contract  pay  FIP  with  the  FIAR 
Guidance  to  determine  if  the  FIP  contained  all  steps  and  supporting 
documentation  that  the  FIAR  Guidance  requires  the  components  to 
complete.  Using  the  FIAR  Guidance,  we  analyzed  DFAS’s  FIP  supporting 
documentation,  such  as  process  narratives  and  flowcharts,  and  test  plans 
and  test  results.  We  also  analyzed  DFAS’s  efforts  to  address  deficiencies 
identified  during  testing.  Specifically,  we  selected  a  nongeneralizable 
sample1  of  25  deficiencies  that  were  reported  on  the  FIAR  Directorate’s 
Tracking  Sheet  as  of  September  23,  2013. 2  To  ensure  the  reliability  of  the 
data  reported  on  the  Tracking  Sheet,  we  (1)  interviewed  FIAR  Directorate 
officials  to  obtain  an  understanding  of  the  process  they  followed  to 
monitor  and  validate  DFAS’s  efforts  to  remediate  identified  deficiencies 
and  (2)  reviewed  the  actions  taken  to  ensure  that  all  deficiencies 
identified  during  the  testing  were  included  in  the  Tracking  Sheet.  We  also 
reviewed  the  data  on  the  Tracking  Sheet  for  outliers,  such  as  the 
deficiencies  reported  on  the  Tracking  Sheet  as  not  being  fully  remediated 
or  controls  tested  for  which  DFAS  did  not  identify  any  deficiencies.  As  a 
result,  we  excluded  174  items  from  the  total  of  5423  items  on  the  Tracking 
Sheet  for  a  population  of  368  deficiencies.4  From  this  population,  we 
selected  a  random  sample  of  20  deficiencies  with  noted  corrective  action 
plans5  that  were  designated  as  remediated  by  DFAS  as  of  September  23, 


Che  results  from  a  nongeneralizable  sample  cannot  be  used  to  make  inferences  about  a 
population. 

2The  FIAR  Directorate  developed  the  Tracking  Sheet  to  document  its  review  and 
validation  of  the  efforts  taken  by  DFAS  to  remediate  the  deficiencies  identified  during 
testing. 

3Out  of  the  542  items  in  the  tracking  sheet,  395  items  were  related  to  deficiencies 
identified  by  DFAS.  The  Tracking  Sheet  did  not  include  3  of  the  6  deficiencies  for  which 
DFAS  did  not  design  and  implement  the  necessary  corrective  actions  plans  and  1 
reported  deficiency  that  did  not  required  a  corrective  action  plan. 

4Out  of  the  399  deficiencies  identified  by  DFAS,  DFAS  did  not  remediate  6  deficiencies, 
the  implementation  of  24  corrective  action  plans  was  in  progress  on  the  FIAR  Directorate’s 
Tracking  Sheet,  and  1  reported  deficiency  did  not  required  a  corrective  action  plan.  Thus, 
the  FIAR  Directorate’s  Tracking  Sheet  contained  a  population  of  368  corrective  action 
plans  implemented  by  DFAS  as  of  September  23,  2013. 

Corrective  action  plans  describe  the  specific  steps  that  will  be  taken  to  resolve  an 
identified  deficiency. 
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2013.  We  also  selected  from  the  population  of  368  deficiencies  an 
additional  5  deficiencies:  (1)  2  to  include  deficiencies  associated  with 
DFAS’s  testing  of  general  controls6  that  were  not  included  in  the  initial 
random  sample  and  (2)  3  deficiencies  identified  by  DFAS  as  remediated 
with  a  corrective  action  plan  where  the  FIAR  Directorate  noted  that  the 
controls  tested  did  not  apply  to  DFAS’s  contract  pay  FIP.  We  also 
interviewed  officials  from  DFAS’s  Office  of  Audit  Readiness,  DFAS’s 
Internal  Review,  and  the  FIAR  Directorate  to  obtain  explanations  and 
clarifications  on  the  results  of  our  evaluation  of  the  FIP. 

We  conducted  this  performance  audit  from  May  2012  to  April  2014  in 
accordance  with  generally  accepted  government  auditing  standards. 
Those  standards  require  that  we  plan  and  perform  the  audit  to  obtain 
sufficient,  appropriate  evidence  to  provide  a  reasonable  basis  for  our 
findings  and  conclusions  based  on  our  audit  objectives.  We  believe  that 
the  evidence  obtained  provides  a  reasonable  basis  for  our  findings  and 
conclusions  based  on  our  audit  objectives. 


6General  controls  are  the  policies  and  procedures  that  apply  to  all  or  a  large  segment  of 
an  entity’s  information  systems  and  help  ensure  their  proper  operation.  For  example, 
general  controls  include  logical  access  controls  that  prevent  or  detect  unauthorized 
access  to  sensitive  data  and  programs  that  are  stored,  processed,  and  transmitted 
electronically. 
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OFFICE  OF  THE  UNDER  SECRETARY  OF  DEFENSE 
1  100  DEFENSE  PENTAGON 
WASHINGTON,  DC  20301-1 1  OO 

JUN  5  2014 

Mr.  Asif  A.  Khan 

Director,  Financial  Management  and  Assurance 
U.S.  Government  Accountability  Office 
441  G  Street,  NW 
Washington,  DC  20548 

Dear  Mr.  Khan: 

This  is  the  Department  of  Defense  (DoD)  response  to  the  Government  Accountability 
Office  (GAO)  draft  report  GAO- 14- 10,  “DoD  Financial  Management:  The  Defense  Finance  and 
Accounting  Service  Needs  to  Fully  Implement  Financial  Improvements  for  Contract  Pay,”  dated 
May  1,  2014  (GAO  Code  197118).  The  Department  acknowledges  receipt  of  the  draft  report  and 
we  concur  with  the  nine  recommendations.  Our  detailed  responses  are  enclosed. 

This  report  was  based  on  work  that  was  conducted  over  an  extended  period  of  time. 
During  this  period,  the  Defense  Finance  and  Accounting  Service  (DFAS)  has  worked  to  verify 
that  processes,  systems,  and  controls  over  contract  pay  are  suitably  designed  and  operating 
effectively.  Significant  progress  has  been  made  but  much  work  remains  to  be  accomplished,  to 
include  applying  lessons  learned  in  implementing  the  Financial  Improvement  and  Audit 
Readiness  Guidance  during  audit  preparations  as  your  recommendations  indicate. 

With  that  said,  there  have  been  positive  results  and  we  are  expecting  a  favorable  opinion 
from  the  ongoing  independent  public  accountant  exam  being  conducted  under  the  Statement  on 
Standards  for  Attestation  Engagements  No.  16  (SSAE  16)  standard.  This  product,  along  with 
other  required  reconciliations  outside  the  scope  of  SSAE  16,  must  be  part  of  DFAS  customers’ 
assertion  packages  relating  to  their  budgetary  statements.  We  agree  that  the  processes  performed 
by  DFAS  are  critical  to  ensure  that  the  contract  disbursements  are  accurately  recorded  and 
maintained  in  the  components’  general  ledgers.  We  will  review  these  processes  as  part  of 
component  assertions  between  now  and  September  30,  2014. 

Thank  you  for  the  opportunity  to  comment.  We  look  forward  to  your  continued 
engagement  and  support  on  this  very  important  agency- wide  initiative.  My  point  of  contact  for 
this  effort  is  Ms.  Sharon  DePrato,  at  571-256-2707  or  sharon.d.deprato.civ@mail.mil. 


Sincerely, 


Robert  F.  Hale 


Enclosure: 
As  stated 
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GAO  DRAFT  REPORT  DATED  MAY  1,  2014 
GAO-14-10  (GAO  CODE  197118) 

“DOD  FINANCIAL  MANAGEMENT:  THE  DEFENSE  FINANCE  AND 
ACCOUNTING  SERVICE  NEEDS  TO  FULLY  IMPLEMENT  FINANCIAL 
IMPROVEMENTS  FOR  CONTRACT  PAY” 

DEPARTMENT  OF  DEFENSE  (DoD)  RESPONSES 
TO  GAO  RECOMMENDATIONS 


RECOMMENDATION  1:  The  GAO  recommends  that  the  Under  Secretary  of  Defense 
(Comptroller)/Chief  Financial  Officer  direct  the  Director  of  the  Defense  Finance  and  Accounting 
Service  to  address  deficiencies  in  its  discovery  phase  planning  activities  for  contract  pay  by 
documenting  its  contract  pay  end  to  end  process  by  developing  the  necessary  flowcharts  and 
narratives  for  those  processes  excluded  from  the  FIP. 

DoD  RESPONSE:  Concur.  Defense  Finance  and  Accounting  Service  (DFAS)  sites  have  either 
developed  and  shared  with  the  components,  or  are  in  the  process  of  developing  the  Treasury 
Reconciliation,  Accounting  &  Reporting,  and  Contract  Close  out  process  maps  and  narratives  for 
the  Contract  Pay  functions  outside  the  Statement  on  Standards  for  Attestation  Engagements 
No.  16  scope.  As  part  of  final  component  assertion  package  reviews,  the  Office  of  the  Under 
Secretary  of  Defense  (Comptroller)’s  Financial  Improvement  and  Audit  Readiness  (FIAR) 
directorate  will  validate  appropriate  documentation.  Estimated  completion  date  (ECD): 
September  30,  2014. 

RECOMMENDATION  2:  The  GAO  recommends  that  the  Under  Secretary  of  Defense 
(Comptroller)/Chief  Financial  Officer  direct  the  Director  of  the  Defense  Finance  and  Accounting 
Service  to  address  deficiencies  in  its  discovery  phase  planning  activities  for  contract  pay  by 
assessing  the  materiality  of  its  processes,  systems,  and  controls. 

DoD  RESPONSE:  Concur.  DFAS  sites  have  assessed  or  will  finalize  the  materiality 
assessment  (i.e.,  dollar  activity  and  risk  factors)  of  its  processes,  systems  and  controls.  As  part  of 
final  component  assertion  package  reviews,  the  FIAR  directorate  will  validate  required 
documentation.  ECD:  July  31,  2014. 

RECOMMENDATION  3:  The  GAO  recommends  that  the  Under  Secretary  of  Defense 
(Comptroller)/Chief  Financial  Officer  direct  the  Director  of  the  Defense  Finance  and  Accounting 
Service  to  address  deficiencies  in  its  discovery  phase  planning  activities  for  contract  pay  by 
completing  a  Memorandum  of  Understanding  with  each  of  the  components. 

DoD  RESPONSE:  Concur.  DFAS  sites  submitted  draft  memorandums  of  understanding  and 
concepts  of  operations  to  the  components  throughout  various  stages  of  their  assertion  work 

Enclosure 
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during  2013  &  2014.  As  part  of  final  component  assertion  package  reviews,  the  FIAR 
directorate  will  validate  that  this  information  has  been  finalized.  ECD:  September  30,  2014. 

RECOMMENDATION  4:  The  GAO  recommends  that  the  Under  Secretary  of  Defense 
(Comptroller)/Chief  Financial  Officer  direct  the  Director  of  the  Defense  Finance  and  Accounting 
Service  to  address  deficiencies  in  its  discovery  phase  testing  activities  by  validating  the 
completeness  and  accuracy  of  the  populations  of  transactions  used  to  perform  testing. 

DoD  RESPONSE:  Concur.  DFAS  has  either  developed  or  is  in  the  process  of  developing  a 
method  for  validating  the  population  to  be  tested  by  reconciling  the  population  to  the  General 
Ledger.  As  part  of  final  component  assertion  package  reviews,  the  FIAR  directorate  will 
examine  this  capability.  ECD:  September  30,  2014. 

RECOMMENDATION  5:  The  GAO  recommends  that  the  Linder  Secretary  of  Defense 
(Comptroller)/Chief  Financial  Officer  direct  the  Director  of  the  Defense  Finance  and  Accounting 
Service  to  address  deficiencies  in  its  discovery  phase  testing  activities  by  considering  and 
assessing  the  design  and  operational  effectiveness  of  the  entity  level  general  controls  that  were 
not  tested  by  DFAS. 

DoD  RESPONSE:  Concur.  DFAS  Internal  Review  will  conduct  an  audit  of  the  remaining 
139  entity-level  Information  Technology  General  Controls  (ITGCs)  that  were  not  reviewed 
during  an  April  2013  audit  of  entity-level  ITGCs.  As  part  of  final  component  assertion  package 
reviews,  the  FIAR  directorate  will  validate  supporting  documentation.  ECD:  August  31,  2014. 

RECOMMENDATION  6:  The  GAO  recommends  that  the  Linder  Secretary  of  Defense 
(Comptroller)/Chief  Financial  Officer  direct  the  Director  of  the  Defense  Finance  and  Accounting 
Service  to  address  deficiencies  in  its  discovery  phase  testing  activities  by  documenting  and 
executing  an  audit  strategy  or  plan  for  application  level  testing  of  system  controls. 

DoD  RESPONSE:  Concur.  DFAS  has  developed  a  strategy  of  focusing  on  the  most  critical 
Federal  Information  System  Controls  Audit  Manual  control  objectives,  which  includes  System 
Security,  Access  Control,  Configuration  Management,  Segregation  of  Duties,  Interface  Strategy, 
and  Design  and  Interface  Processing.  As  part  of  final  component  assertion  package  reviews,  the 
FIAR  directorate  will  validate  supporting  documentation.  ECD:  June  30,  2014. 

RECOMMENDATION  7:  The  GAO  recommends  that  the  Under  Secretary  of  Defense 
(Comptroller)/Chief  Financial  Officer  direct  the  Director  of  the  Defense  Finance  and  Accounting 
Service  to  address  deficiencies  in  its  discovery  phase  testing  activities  by  coordinating  with  the 
components  to  classify  all  identified  deficiencies  as  control  deficiencies,  significant  deficiencies 
and  material  weaknesses. 

DoD  RESPONSE:  Concur.  DFAS  has  shared  Contract  Pay  test  failures  with  the  components 
and  will  ensure  all  of  the  failures  are  classified  as  control  deficiencies,  significant  deficiencies,  or 
material  weaknesses  in  relation  to  their  impact  on  the  General  Fund  Financial  Statements.  As 
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part  of  final  component  assertion  package  reviews,  the  FIAR  directorate  will  validate  required 
documentation.  ECD:  September  30,  2014 

RECOMMENDATION  8:  The  GAO  recommends  that  the  Under  Secretary  of  Defense 
(Comptroller)/Chief  Financial  Officer  direct  the  Director  of  the  Defense  Finance  and  Accounting 
Service  to  address  deficiencies  in  its  corrective  action  phase  activities  by  assessing  the  population 
of  implemented  corrective  action  plans  to  determine  whether  the  deficiencies  that  GAO  found  in 
their  nongeneralizable  sample  of  DFAS'  corrective  action  plans  are  more  widespread  in  the 
population. 

DoD  RESPONSE:  Concur.  Corrective  actions  for  the  information  technology  general  level 
controls  will  be  reviewed  and  certified  by  a  qualified  independent  public  accountant.  Corrective 
actions  for  the  business  process  controls  will  be  reviewed  and  certified  by  the  DFAS  Audit 
Readiness  teams.  As  part  of  final  component  assertion  package  reviews,  the  FIAR  directorate 
will  review  supporting  documentation.  ECD:  July  31,  2014. 

RECOMMENDATION  9:  The  GAO  recommends  that  the  Under  Secretary  of  Defense 
(Comptroller)/Chief  Financial  Officer  direct  the  Director  of  the  Defense  Finance  and  Accounting 
Service  to  address  deficiencies  in  its  corrective  action  phase  activities  by  revising  its  FIAR  status 
reports  to  accurately  reflect  the  current  status  of  its  audit  readiness  efforts. 

DoD  RESPONSE:  Concur.  FIAR  status  reports  have  accurately  reflected  past  status  of  efforts, 
based  on  available  information.  DFAS  sites  will  review  and  revalidate  financial  improvement 
plans  (DFAS  Contract  Pay  Self  Review  plans)  for  the  components  to  ensure  that  they  accurately 
reflect  the  current  status  of  DFAS  efforts.  ECD:  September  30,  2014. 
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GAO’s  Mission 

The  Government  Accountability  Office,  the  audit,  evaluation,  and 
investigative  arm  of  Congress,  exists  to  support  Congress  in  meeting  its 
constitutional  responsibilities  and  to  help  improve  the  performance  and 
accountability  of  the  federal  government  for  the  American  people.  GAO 
examines  the  use  of  public  funds;  evaluates  federal  programs  and 
policies;  and  provides  analyses,  recommendations,  and  other  assistance 
to  help  Congress  make  informed  oversight,  policy,  and  funding  decisions. 
GAO’s  commitment  to  good  government  is  reflected  in  its  core  values  of 
accountability,  integrity,  and  reliability. 

Obtaining  Copies  of 
GAO  Reports  and 
Testimony 

The  fastest  and  easiest  way  to  obtain  copies  of  GAO  documents  at  no 
cost  is  through  GAO’s  website  (http://www.gao.gov).  Each  weekday 
afternoon,  GAO  posts  on  its  website  newly  released  reports,  testimony, 
and  correspondence.  To  have  GAO  e-mail  you  a  list  of  newly  posted 
products,  go  to  http://www.gao.gov  and  select  “E-mail  Updates.” 

Order  by  Phone 

The  price  of  each  GAO  publication  reflects  GAO’s  actual  cost  of 
production  and  distribution  and  depends  on  the  number  of  pages  in  the 
publication  and  whether  the  publication  is  printed  in  color  or  black  and 
white.  Pricing  and  ordering  information  is  posted  on  GAO’s  website, 
http://www.gao.gov/ordering.htm. 

Place  orders  by  calling  (202)  512-6000,  toll  free  (866)  801-7077,  or 

TDD  (202)512-2537. 

Orders  may  be  paid  for  using  American  Express,  Discover  Card, 
MasterCard,  Visa,  check,  or  money  order.  Call  for  additional  information. 

Connect  with  GAO 

Connect  with  GAO  on  Facebook,  Flickr,  Twitter,  and  YouTube. 

Subscribe  to  our  RSS  Feeds  or  E-mail  Updates.  Listen  to  our  Podcasts. 
Visit  GAO  on  the  web  at  www.gao.gov. 

To  Report  Fraud, 
Waste,  and  Abuse  in 
Federal  Programs 

Contact: 

Website:  http://www.gao.gov/fraudnet/fraudnet.htm 

E-mail:  fraudnet@gao.gov 

Automated  answering  system:  (800)  424-5454  or  (202)  512-7470 

Congressional 

Relations 

Katherine  Siggerud,  Managing  Director,  siggerudk@gao.gov,  (202)  512- 
4400,  U.S.  Government  Accountability  Office,  441  G  Street  NW,  Room 
7125,  Washington,  DC  20548 

Public  Affairs 

Chuck  Young,  Managing  Director,  youngd@gao.gov,  (202)  512-4800 

U.S.  Government  Accountability  Office,  441  G  Street  NW,  Room  7149 
Washington,  DC  20548 
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